CVE-2020-10650 - Vulnerability Details - OpenCVE

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Fasterxml	Jackson-databind
Oracle	Retail Merchandising System Retail Sales Audit

Configuration 1 [-]

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:retail_merchandising_system:15.0:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:14.1:::::::*

No data.

References

Link	Providers
https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
https://github.com/FasterXML/jackson-databind/issues/2658
https://github.com/advisories/GHSA-rpr3-cw39-3pxh
https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://security.netapp.com/advisory/ntap-20230818-0007/
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2022.html

History

Mon, 14 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-12-26T00:00:00.000Z

Updated: 2025-04-14T16:22:00.404Z

Reserved: 2020-03-17T00:00:00.000Z

Link: CVE-2020-10650

Vulnrichment

Updated: 2024-08-04T11:06:10.616Z

NVD

Status : Modified

Published: 2022-12-26T20:15:10.433

Modified: 2025-04-14T17:15:23.347

Link: CVE-2020-10650

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-10650", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-14T16:22:00.404Z", "dateReserved": "2020-03-17T00:00:00.000Z", "datePublished": "2022-12-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-18T13:06:16.065Z"}, "descriptions": [{"lang": "en", "value": "A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:10.616Z"}, "title": "CVE Program Container", "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T16:21:17.999575Z", "id": "CVE-2020-10650", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:22:00.404Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658", "tags": ["x_transferred"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:10.616Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-10650", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-14T16:21:17.999575Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:21:51.481Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}], "descriptions": [{"lang": "en", "value": "A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-18T13:06:16.065Z"}}}, "cveMetadata": {"cveId": "CVE-2020-10650", "state": "PUBLISHED", "dateUpdated": "2025-04-14T16:22:00.404Z", "dateReserved": "2020-03-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-12-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "238F4D80-C84C-4C96-B45D-D73ADE46A3C8", "versionEndIncluding": "2.9.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "792DF04A-2D1B-40B5-B960-3E7152732EB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*", "matchCriteriaId": "7DA6E92C-AC3B-40CF-96AE-22CD8769886F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider."}, {"lang": "es", "value": "Se descubri\u00f3 un fallo de deserializaci\u00f3n en jackson-databind hasta 2.9.10.4. Podr\u00eda permitir que un usuario no autenticado realice la ejecuci\u00f3n de c\u00f3digo a trav\u00e9s de ignite-jta o quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory y org. quartz.utils.JNDIConnectionProvider."}], "id": "CVE-2020-10650", "lastModified": "2025-04-14T17:15:23.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-26T20:15:10.433", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/2658"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-rpr3-cw39-3pxh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230818-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}