CVE编号
CVE-2020-25649利用情况
暂无补丁情况
官方补丁披露时间
2020-12-04漏洞描述
FasterXML Jackson Databind是美国FasterXML公司的一个基于JAVA的数据处理工具,可以将XML和JSON等数据格式与JAVA对象进行转换。<br /> FasterXML Jackson Databind存在XML外部实体注入漏洞。攻击者可利用该漏洞导致XML外部实体攻击并破坏数据完整性。解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
参考链接 |
|
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1887664 | |
| https://github.com/FasterXML/jackson-databind/issues/2589 | |
| https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8... | |
| https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b5... | |
| https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4... | |
| https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd... | |
| https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d... | |
| https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d324... | |
| https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac6... | |
| https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba81351... | |
| https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65... | |
| https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c4... | |
| https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9... | |
| https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a... | |
| https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b151... | |
| https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953... | |
| https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1... | |
| https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b6115... | |
| https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad... | |
| https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee... | |
| https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee... | |
| https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de44... | |
| https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3ab... | |
| https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc... | |
| https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025c... | |
| https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae529... | |
| https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae529... | |
| https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a... | |
| https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3a... | |
| https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efa... | |
| https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae... | |
| https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399... | |
| https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf... | |
| https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771... | |
| https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e90... | |
| https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc546... | |
| https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc546... | |
| https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea11... | |
| https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710d... | |
| https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1... | |
| https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec6... | |
| https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d53... | |
| https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d... | |
| https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80b... | |
| https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba3... | |
| https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd... | |
| https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc50453... | |
| https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff32366... | |
| https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243... | |
| https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af... | |
| https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af... | |
| https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a7358... | |
| https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee... | |
| https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433... | |
| https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e35... | |
| https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b44243... | |
| https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a8... | |
| https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e... | |
| https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e92... | |
| https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde... | |
| https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30... | |
| https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83ae... | |
| https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066b... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://security.netapp.com/advisory/ntap-20210108-0007/ | |
| https://www.oracle.com//security-alerts/cpujul2021.html | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | |
| https://www.oracle.com/security-alerts/cpujan2022.html | |
| https://www.oracle.com/security-alerts/cpuoct2021.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | fasterxml | jackson-databind | * |
Up to (excluding) 2.6.7.4 |
|||||
| 运行在以下环境 | |||||||||
| 应用 | fasterxml | jackson-databind | * |
From (including) 2.10.0 |
Up to (excluding) 2.10.5.1 |
||||
| 运行在以下环境 | |||||||||
| 应用 | fasterxml | jackson-databind | * |
From (including) 2.9.0 |
Up to (excluding) 2.9.10.7 |
||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | jackson-databind | * |
Up to (excluding) 2.9.8-3+deb10u3 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | jackson-databind | * |
Up to (excluding) 2.8.6-1+deb9u8 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_32 | jackson-databind | * |
Up to (excluding) 2.10.5.1-1.fc32 |
|||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 N/A
还没有评论,来说两句吧...