Details of VAR-202003-1779

ID

VAR-202003-1779

CVE

CVE-2020-10672

TITLE

FasterXML jackson-databind Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003144

DESCRIPTION

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). FasterXML jackson-databind There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x prior to 2.9.10.4 due to insecure deserialization by org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aries.transaction.jms) . A remote attacker could exploit this vulnerability with specially crafted input to execute arbitrary code on the system. Description: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. Security Fix(es): * apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * cxf: does not restrict the number of message attachments (CVE-2019-12406) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511) * jackson-databind: Multiple serialization gadgets (CVE-2019-17531, CVE-2019-16943, CVE-2019-16942, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10969, CVE-2020-10968, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2019-20330, CVE-2020-8840) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673) * keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820) * keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875) * keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201) * keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199) * keycloak: cross-realm user access auth bypass (CVE-2019-14832) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) * thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * thrift: Endless loop when feed with specific input data (CVE-2019-0205) * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838) * xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. The References section of this erratum contains a download link for the update. You must be logged in to download the update. Summary: This is a security update for JBoss EAP Continuous Delivery 19. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update Advisory ID: RHSA-2020:3461-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:3461 Issue date: 2020-08-17 CVE Names: CVE-2019-14900 CVE-2020-1710 CVE-2020-1748 CVE-2020-10672 CVE-2020-10673 CVE-2020-10683 CVE-2020-10687 CVE-2020-10693 CVE-2020-10714 CVE-2020-10718 CVE-2020-10740 CVE-2020-14297 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.1, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.2 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) * dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) * wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) * wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) * wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * undertow: EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) * hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) * wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) * wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-18793 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.16 to 5.3.17 JBEAP-19095 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.20 to 1.0.21 JBEAP-19134 - (7.3.z) Upgrade HAL from 3.2.8.Final-redhat-00001 to 3.2.9.Final JBEAP-19185 - (7.3.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.22.Final JBEAP-19203 - (7.3.z) WFCORE-4850 - Updating mockserver to 5.9.0. Exclusion of dependency from xom.io7m JBEAP-19205 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.x JBEAP-19269 - [GSS](7.3.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final JBEAP-19322 - (7.3.z) Upgrade XNIO from 3.7.7 to 3.7.8.SP1 JBEAP-19325 - (7.3.z) Upgrade Infinispan from 9.4.18.Final-redhat-00001 to 9.4.19.Final-redhat-00001 JBEAP-19397 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP09-redhat-00001 to 2.3.9.SP11-redhat-00001 JBEAP-19409 - Tracker bug for the EAP 7.3.2 release for RHEL-6 JBEAP-19529 - (7.3.z) Update PR template to include PR-processor hints. JBEAP-19564 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001 JBEAP-19585 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.4 to 2.0.6 JBEAP-19617 - (7.3.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001 JBEAP-19619 - (7.3.z) Upgrade JBoss JSF API from 3.0.0.SP02-redhat-00001 to 3.0.0.SP04-redhat-00001 JBEAP-19673 - (7.3.z) [WFCORE] Upgrade WildFly Common to 1.5.2.Final JBEAP-19674 - (7.3.z) [WFCORE] Upgrade galleon and wildfly-galleon-plugins from 4.1.2.Final to 4.2.4.Final JBEAP-19874 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.21.Final-redhat-00001 to 1.0.22.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.src.rpm eap7-elytron-web-1.6.2-1.Final_redhat_00001.1.el6eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el6eap.src.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.src.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el6eap.src.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jackson-jaxrs-providers-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el6eap.src.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el6eap.src.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el6eap.src.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el6eap.src.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.src.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el6eap.src.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el6eap.src.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el6eap.src.rpm noarch: eap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el6eap.noarch.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-cachestore-remote-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-client-hotrod-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-commons-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-core-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.4.19-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-jaxrs-base-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-core-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.1-7.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el6eap.noarch.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-netty-all-4.1.48-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.noarch.rpm eap7-undertow-server-1.6.2-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.7-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-javadocs-7.3.2-4.GA_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-modules-7.3.2-4.GA_redhat_00002.1.el6eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXzqIS9zjgjWX9erEAQjYNxAAk4rojlcRbfjwu0wlWLTU1MbxQNclVtVh MpQnFzyvJVVXX0lslx7NGxHlRNWRgqI/XC1QDqlHpRs4du5/a2Uj+8c5u+WPQefF QCqOvSntbMli42/I7+fCehLVofx/HkuAVcBoGrIGby1E4rddDljh4bH3r43I7wa5 HN9ki8uFAy8bIAzfXW+RB4rxtnsAABv/VFoH1fWmrXCXE6A6aG+AU86ddty0JQHN JhQp6v/X/3ccCvHYTAO8vlbqIJ4fE86e1+5oRBor+4ZD4mMVzGKm4cf8CMPXsKIB 9dFGo8WHFBgEi4hBbBFtFfaE2DGZ6K4Q7X0IAhiiYJmpPg8NgzGiqVvOAG+/OrBz DE84ZPxZwS1zR82wwIyHP4W5mYIhQTxhtp+E9Klu4gpFIAmK8bVfGf2Ub0HOCS6z sbN1Eiv0SBfWRHBfBkuRTBd0aEcmGRNl4GSXzXtanTf0OhFk/4pxdJPmKDEBFWvg 3dtwFi7+/8JoAch8GKQCo4UoSo6etQu45sUH6Q8ozuxYA72+J9K7cpwp/fVhiYRT nruC+2HDuugrC8UVJ/24E++49omdSXAm+UR9tvkFdVU3IpXLJNWO8s4QbrGC7CN7 Lvg/ukygGhrEEyQ1J9yYSeeNISQWJGOSKj/bgYRAh/AbX/QcZZfus7ppAasNjndn Bk4PSTq9yaw= =ZNiG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.34

sources: NVD: CVE-2020-10672 // JVNDB: JVNDB-2020-003144 // VULHUB: VHN-163174 // PACKETSTORM: 158650 // PACKETSTORM: 157741 // PACKETSTORM: 157859 // PACKETSTORM: 158884 // PACKETSTORM: 158651 // PACKETSTORM: 159081 // PACKETSTORM: 159082

AFFECTED PRODUCTS

vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	17.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.2	Trust: 1.0
vendor:	oracle	model:	communications element manager	scope:	gte	version:	8.2.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	oracle	model:	jd edwards enterpriseone tools	scope:	lt	version:	9.2.4.2	Trust: 1.0
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	gte	version:	12.0.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	lte	version:	17.12	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	16.0	Trust: 1.0
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.6	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	16.2	Trust: 1.0
vendor:	oracle	model:	global lifecycle management opatch	scope:	lt	version:	12.2.0.1.20	Trust: 1.0
vendor:	oracle	model:	banking platform	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	15.0	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.3	Trust: 1.0
vendor:	oracle	model:	insurance policy administration j2ee	scope:	eq	version:	11.0.2.25	Trust: 1.0
vendor:	oracle	model:	autovue for agile product lifecycle management	scope:	eq	version:	21.0.2	Trust: 1.0
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	communications calendar server	scope:	eq	version:	8.0.0.4.0	Trust: 1.0
vendor:	oracle	model:	enterprise manager base platform	scope:	eq	version:	13.3.0.0	Trust: 1.0
vendor:	fasterxml	model:	jackson-databind	scope:	lt	version:	2.9.10.4	Trust: 1.0
vendor:	oracle	model:	communications diameter signaling router	scope:	gte	version:	8.0.0	Trust: 1.0
vendor:	oracle	model:	enterprise manager base platform	scope:	eq	version:	13.4.0.0	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	communications session report manager	scope:	gte	version:	8.2.0	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	16.0	Trust: 1.0
vendor:	oracle	model:	communications contacts server	scope:	eq	version:	8.0.0.5.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	gte	version:	17.7	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	19.2	Trust: 1.0
vendor:	oracle	model:	communications session route manager	scope:	lte	version:	8.2.2	Trust: 1.0
vendor:	oracle	model:	communications instant messaging server	scope:	eq	version:	10.0.1.4.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	16.1	Trust: 1.0
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	communications evolved communications application server	scope:	eq	version:	7.1	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	20.1	Trust: 1.0
vendor:	oracle	model:	communications element manager	scope:	lte	version:	8.2.2	Trust: 1.0
vendor:	oracle	model:	jd edwards enterpriseone orchestrator	scope:	lt	version:	9.2.4.2	Trust: 1.0
vendor:	netapp	model:	steelstore cloud integrated storage	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	communications diameter signaling router	scope:	lte	version:	8.2.2	Trust: 1.0
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	18.0	Trust: 1.0
vendor:	fasterxml	model:	jackson-databind	scope:	gte	version:	2.9.0	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	lte	version:	12.0.3	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	oracle	model:	banking platform	scope:	gte	version:	2.4.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.0.6	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lte	version:	8.1.0	Trust: 1.0
vendor:	oracle	model:	retail merchandising system	scope:	eq	version:	15.0	Trust: 1.0
vendor:	oracle	model:	communications session route manager	scope:	gte	version:	8.2.0	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	19.1	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	18.8	Trust: 1.0
vendor:	oracle	model:	communications session report manager	scope:	lte	version:	8.2.2	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	19.0	Trust: 1.0
vendor:	oracle	model:	retail xstore point of service	scope:	eq	version:	15.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	19.12	Trust: 1.0
vendor:	oracle	model:	insurance policy administration j2ee	scope:	eq	version:	11.1.0.15	Trust: 1.0
vendor:	oracle	model:	banking digital experience	scope:	eq	version:	18.1	Trust: 1.0
vendor:	oracle	model:	retail sales audit	scope:	eq	version:	14.1	Trust: 1.0
vendor:	oracle	model:	communications contacts server	scope:	eq	version:	8.0.0.4.0	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	eq	version:	6.0.1	Trust: 1.0
vendor:	debian	model:	gnu/linux	scope:	-	version:	-	Trust: 0.8
vendor:	fasterxml	model:	jackson-databind	scope:	eq	version:	2.9.10.4	Trust: 0.8

sources: JVNDB: JVNDB-2020-003144 // NVD: CVE-2020-10672

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10672
value:	HIGH
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2020-10672
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-003144
value:	HIGH
Trust: 0.8
VULHUB:	VHN-163174
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10672
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003144
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-163174
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10672
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	JVNDB-2020-003144
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-163174 // JVNDB: JVNDB-2020-003144 // NVD: CVE-2020-10672 // NVD: CVE-2020-10672

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2020-003144 // NVD: CVE-2020-10672

THREAT TYPE

remote

Trust: 0.3

sources: PACKETSTORM: 158884 // PACKETSTORM: 159081 // PACKETSTORM: 159082

TYPE

xss

Trust: 0.3

sources: PACKETSTORM: 158650 // PACKETSTORM: 157859 // PACKETSTORM: 158651

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003144

PATCH

title:	[SECURITY] [DLA 2153-1] jackson-databind security update	url:	https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html	Trust: 0.8
title:	Block one more gadget type (aries.transaction.jms, CVE-2020-10672) #2659	url:	https://github.com/FasterXML/jackson-databind/issues/2659	Trust: 0.8

sources: JVNDB: JVNDB-2020-003144

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10672	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-003144	Trust: 0.8
db:	PACKETSTORM	id:	158884	Trust: 0.2
db:	PACKETSTORM	id:	158651	Trust: 0.2
db:	PACKETSTORM	id:	159082	Trust: 0.2
db:	PACKETSTORM	id:	159081	Trust: 0.2
db:	PACKETSTORM	id:	158650	Trust: 0.2
db:	PACKETSTORM	id:	158636	Trust: 0.1
db:	PACKETSTORM	id:	159083	Trust: 0.1
db:	PACKETSTORM	id:	159208	Trust: 0.1
db:	PACKETSTORM	id:	158889	Trust: 0.1
db:	PACKETSTORM	id:	159080	Trust: 0.1
db:	PACKETSTORM	id:	158916	Trust: 0.1
db:	PACKETSTORM	id:	158881	Trust: 0.1
db:	PACKETSTORM	id:	158891	Trust: 0.1
db:	CNNVD	id:	CNNVD-202003-1150	Trust: 0.1
db:	VULHUB	id:	VHN-163174	Trust: 0.1
db:	PACKETSTORM	id:	157741	Trust: 0.1
db:	PACKETSTORM	id:	157859	Trust: 0.1

sources: VULHUB: VHN-163174 // JVNDB: JVNDB-2020-003144 // PACKETSTORM: 158650 // PACKETSTORM: 157741 // PACKETSTORM: 157859 // PACKETSTORM: 158884 // PACKETSTORM: 158651 // PACKETSTORM: 159081 // PACKETSTORM: 159082 // NVD: CVE-2020-10672

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-10672	Trust: 1.4
url:	https://security.netapp.com/advisory/ntap-20200403-0002/	Trust: 1.1
url:	https://github.com/fasterxml/jackson-databind/issues/2659	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujan2021.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2021.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html	Trust: 1.1
url:	https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10672	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2020-10672	Trust: 0.7
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.7
url:	https://access.redhat.com/security/team/contact/	Trust: 0.7
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.7
url:	https://bugzilla.redhat.com/):	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2020-9547	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-10673	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-9546	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-9548	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8840	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10673	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-11112	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-11113	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-10968	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20330	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-10969	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-20330	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-7238	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-11111	Trust: 0.4
url:	https://issues.jboss.org/):	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12406	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9514	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-17573	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20444	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-9512	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-12406	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17573	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-9514	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-9515	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-11619	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-20445	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-20444	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-16869	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-11620	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11111	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9512	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-12423	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16869	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12423	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10968	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20445	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10969	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-10086	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10086	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-1695	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1710	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10740	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14297	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10693	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10687	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10714	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-14297	Trust: 0.3
url:	https://access.redhat.com/articles/11258	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14900	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10683	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10714	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10683	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10693	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10687	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-14900	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10740	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-1710	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10718	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10718	Trust: 0.3
url:	https://access.redhat.com/security/team/key/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1748	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-1748	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14060	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1718	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14060	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9515	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-13990	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11620	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11612	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14061	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-1718	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-9518	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13990	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14062	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11619	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11112	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-11612	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9518	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14061	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11113	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14062	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-16335	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-16943	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-0210	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-0205	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12419	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-17531	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16335	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-0210	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17531	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14540	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17267	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16942	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14887	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14892	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16943	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-12419	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-17267	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-0205	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14893	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-16942	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14893	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14888	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14892	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2019-14887	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14540	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14888	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-6950	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9547	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-1695	Trust: 0.2
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9548	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9546	Trust: 0.2
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8840	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6950	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14307	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-14307	Trust: 0.2
url:	https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3196	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=rhdm&version=7.8.0	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-7238	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.8/html/release_notes_for_red_hat_decision_manager_7.8/index	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-3875	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-14832	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10201	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.5/html/release_notes_for_thorntail_2.5/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2067	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3875	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9511	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12400	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10219	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14832	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10199	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=catrhoar.thorntail&version=2.5.1	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-9511	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10201	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-1729	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10199	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-12400	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-14838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10219	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-14820	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14820	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10174	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2333	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform_continuous_delivery/19/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10688	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-1745	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10688	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product\xeap-cd&downloadtype=securitypatches&version	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10174	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-1732	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3461	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.8/html/release_notes_for_red_hat_process_automation_manager_7.8/index	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=rhpam&version=7.8.0	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3197	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3637	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3638	Trust: 0.1

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 158650 // PACKETSTORM: 157741 // PACKETSTORM: 157859 // PACKETSTORM: 158884 // PACKETSTORM: 158651 // PACKETSTORM: 159081 // PACKETSTORM: 159082

SOURCES

db:	VULHUB	id:	VHN-163174
db:	JVNDB	id:	JVNDB-2020-003144
db:	PACKETSTORM	id:	158650
db:	PACKETSTORM	id:	157741
db:	PACKETSTORM	id:	157859
db:	PACKETSTORM	id:	158884
db:	PACKETSTORM	id:	158651
db:	PACKETSTORM	id:	159081
db:	PACKETSTORM	id:	159082
db:	NVD	id:	CVE-2020-10672

LAST UPDATE DATE

2024-11-20T20:50:06.198000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-163174	date:	2021-12-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-003144	date:	2020-04-06T00:00:00
db:	NVD	id:	CVE-2020-10672	date:	2024-07-03T01:36:05.477

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-163174	date:	2020-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-003144	date:	2020-04-06T00:00:00
db:	PACKETSTORM	id:	158650	date:	2020-07-29T17:52:58
db:	PACKETSTORM	id:	157741	date:	2020-05-18T16:42:53
db:	PACKETSTORM	id:	157859	date:	2020-05-28T16:22:46
db:	PACKETSTORM	id:	158884	date:	2020-08-17T17:34:41
db:	PACKETSTORM	id:	158651	date:	2020-07-29T17:53:05
db:	PACKETSTORM	id:	159081	date:	2020-09-07T16:38:23
db:	PACKETSTORM	id:	159082	date:	2020-09-07T16:39:28
db:	NVD	id:	CVE-2020-10672	date:	2020-03-18T22:15:12.313