Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-25649

Disclosure Date: December 03, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • apache,
  • fasterxml,
  • fedoraproject,
  • netapp,
  • oracle,
  • quarkus

Products

  • agile plm 9.3.6,
  • agile product lifecycle management integration pack 3.6,
  • banking apis,
  • banking apis 19.1,
  • banking apis 19.2,
  • banking apis 20.1,
  • banking apis 21.1,
  • banking platform 2.10.0,
  • banking platform 2.6.2,
  • banking platform 2.7.0,
  • banking platform 2.7.1,
  • banking platform 2.8.0,
  • banking platform 2.9.0,
  • banking treasury management 4.4,
  • blockchain platform,
  • coherence 12.2.1.4.0,
  • coherence 14.1.1.0.0,
  • commerce platform,
  • commerce platform 11.2.0,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5.0.23.0,
  • communications cloud native core unified data repository 1.4.0,
  • communications convergent charging controller 12.0.4.0.0,
  • communications evolved communications application server 7.1,
  • communications instant messaging server 10.0.1.5.0,
  • communications interactive session recorder 6.3,
  • communications interactive session recorder 6.4,
  • communications messaging server 8.0.2,
  • communications messaging server 8.1,
  • communications network charging and control 12.0.4.0.0,
  • communications offline mediation controller 12.0.0.3,
  • communications pricing design center 12.0.0.4.0,
  • communications services gatekeeper 7.0,
  • communications unified inventory management 7.4.1,
  • fedora 32,
  • goldengate application adapters 19.1.0.0.0,
  • health sciences empirica signal 9.0,
  • health sciences empirica signal 9.1,
  • insurance policy administration,
  • insurance policy administration 11.0.2,
  • insurance rules palette,
  • insurance rules palette 11.0.2,
  • iotdb,
  • jackson-databind,
  • jd edwards enterpriseone orchestrator,
  • jd edwards enterpriseone tools,
  • oncommand api services -,
  • oncommand workflow automation -,
  • primavera gateway,
  • primavera gateway 20.12.0,
  • quarkus,
  • retail service backbone 14.1.3.2,
  • retail service backbone 15.0.3.1,
  • retail service backbone 16.0.3,
  • retail xstore point of service 16.0.6,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • retail xstore point of service 19.0.2,
  • retail xstore point of service 20.0.1,
  • sd-wan edge 9.0,
  • service level manager -,
  • utilities framework 4.3.0.5.0,
  • utilities framework 4.3.0.6.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • utilities framework 4.4.0.3.0,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0

References

Advisory

Additional Info

Technical Analysis