CVE-2020-10650 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-10650 PUBLISHED

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

EPSS 9.85% · 92.9th percentile

Risk Scores

EPSS Score

9.85%

92.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:20.04:LTS	jackson-databind	2.10.0-2, 2.9.9.3-1, 0
Ubuntu:Pro:14.04:LTS	jackson-databind	0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:24.04:LTS	jackson-databind	0, 2.14.0-1
AWS	connect
Ubuntu:Pro:16.04:LTS	jackson-databind	0, 2.4.2-3, 2.4.2-2
Ubuntu:25.10	jackson-databind	2.14.0+ds-1, 0
Ubuntu:22.04:LTS	jackson-databind	0, 2.12.1-1, 2.12.5-1
Ubuntu:18.04:LTS	jackson-databind	2.8.6-1, 2.9.1-1, 2.9.8-1~18.04

Timeline

Jul 14, 2020 CVE Published
Dec 27, 2022 EPSS Score
Feb 6, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 28, 2023 EPSS Score
Jun 8, 2023 EPSS Score
Aug 29, 2023 EPSS Score
Oct 9, 2023 EPSS Score
Dec 29, 2023 EPSS Score
Feb 8, 2024 EPSS Score
Feb 8, 2024 PoC Published
Apr 30, 2024 EPSS Score

References

https://ubuntu.com/security/CVE-2020-10650 third-party-advisory
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef third-party-advisory
https://github.com/FasterXML/jackson-databind/issues/2658 third-party-advisory
https://github.com/advisories/GHSA-rpr3-cw39-3pxh third-party-advisory
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 third-party-advisory
https://www.oracle.com/security-alerts/cpujan2021.html third-party-advisory
https://www.oracle.com/security-alerts/cpuoct2022.html third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-10650 third-party-advisory
Multiples vulnérabilités dans les produits Splunk advisory

Open in Interactive Console →