VDB

CVE-2020-10650

CVE-2020-10650 PUBLISHED

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

EPSS 9.01% · 92.8th percentile

Risk Scores

EPSS Score
9.01%
92.8th percentile

Affected Products

VendorProductVersions
Ubuntu:20.04:LTSjackson-databind2.9.9.3-1, 0, 2.10.2-1
Ubuntu:Pro:14.04:LTSjackson-databind2.2.2-1ubuntu0.1~esm1, 0, 2.2.2-1
Ubuntu:24.04:LTSjackson-databind0, 2.14.0-1
AWSconnect
Ubuntu:Pro:16.04:LTSjackson-databind0, 2.4.2-3, 2.4.2-2
Ubuntu:25.10jackson-databind2.14.0+ds-1, 0
Ubuntu:22.04:LTSjackson-databind2.12.1-1, 2.12.5-1, 2.13.0-1
Ubuntu:18.04:LTSjackson-databind2.9.1-1, 2.9.4-1, 2.9.8-1~18.04

Timeline

  • Jul 14, 2020 CVE Published
  • Dec 27, 2022 EPSS Score
  • Feb 6, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Apr 30, 2023 EPSS Score
  • Jun 11, 2023 EPSS Score
  • Sep 1, 2023 EPSS Score
  • Nov 23, 2023 EPSS Score
  • Jan 3, 2024 EPSS Score
  • Feb 8, 2024 PoC Published
  • Mar 26, 2024 EPSS Score
  • May 7, 2024 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›