Vulnerability Details : CVE-2021-20190
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Products affected by CVE-2021-20190
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_guided_search_and_experience_manager:11.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20190
0.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20190
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.3
|
HIGH | AV:N/AC:M/Au:N/C:P/I:P/A:C |
8.6
|
8.5
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2021-20190
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: secalert@redhat.com (Primary)
References for CVE-2021-20190
-
https://bugzilla.redhat.com/show_bug.cgi?id=1916633
1916633 – (CVE-2021-20190) CVE-2021-20190 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swingIssue Tracking;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210219-0008/
CVE-2021-20190 FasterXML Jackson Databind Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
[SECURITY] [DLA 2638-1] jackson-databind security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
svn commit: r1886814 - /nifi/site/trunk/security.html - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/2854
Block one more gadget type (javax.swing, CVE-2020-xxx) · Issue #2854 · FasterXML/jackson-databind · GitHubPatch;Third Party Advisory
Jump to