XML External Entity Flaw in FasterXML Jackson Databind
CVE-2020-25649

7.5HIGH

Key Information:

Vendor: Fasterxml
Status: Jackson-databind
Vendor: CVE Published:; 3 December 2020

What is CVE-2020-25649?

A vulnerability in FasterXML Jackson Databind arises from improper handling of XML Entity Expansion, which can be exploited through XML External Entity (XXE) attacks. This flaw allows attackers to gain unauthorized access to sensitive data, adversely affecting data integrity. Ensuring that Jackson Databind is updated to version 2.10.5.1 or later is crucial for mitigating this risk.

Affected Version(s)

jackson-databind jackson-databind-2.11.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=1887664

x_refsource_MISC

https://github.com/FasterXML/jackson-databind/issues/2589

x_refsource_MISC

https://lists.apache.org/thread.html/ra1157e57a01d25e36b0...

mailing-listx_refsource_MLIST

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2020
Vulnerability Reserved
Sep 16, 2020

CVE-2020-25649 Data

JSON

Fasterxml

What is CVE-2020-25649?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline