VIR Vulnerability Intelligence Relay

CVE-2020-11112

high
Published 2020-03-31 · Modified 2026-02-04
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2
6.8
VIR risk
8.8

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-11112

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.oracle.com/security-alerts/cpuoct2021.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.oracle.com/security-alerts/cpuoct2020.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.oracle.com/security-alerts/cpujul2020.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.oracle.com/security-alerts/cpujan2021.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/FasterXML/jackson-databind/issues/2666

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed2.11.1-1
debian debianbullseyefixed2.11.1-1
debian debianforkyfixed2.11.1-1
debian debiansidfixed2.11.1-1
debian debiantrixiefixed2.11.1-1
debian debian8.0affected

Package impact
EcosystemPackageVulnerableFixed
java Mavencom.fasterxml.jackson.core:jackson-databind>=2.9.0,<2.9.10.42.9.10.4

Application impact
VendorProductVersionsFixed
fasterxmljackson-databind{"startIncluding":"2.0.0","endExcluding":"2.9.10.4"}2.9.10.4
netappsteelstore_cloud_integrated_storage-
oracleagile_plm9.3.6
oracleautovue_for_agile_product_lifecycle_management21.0.2
oraclebanking_digital_experience18.1
oraclebanking_digital_experience18.2
oraclebanking_digital_experience18.3
oraclebanking_digital_experience19.1
oraclebanking_digital_experience19.2
oraclebanking_digital_experience20.1
oraclebanking_platform{"startIncluding":"2.4.0","endIncluding":"2.9.0"}
oraclecommunications_calendar_server8.0.0.4.0
oraclecommunications_contacts_server8.0.0.4.0
oraclecommunications_contacts_server8.0.0.5.0
oraclecommunications_diameter_signaling_router{"startIncluding":"8.0.0","endIncluding":"8.2.2"}
oraclecommunications_element_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oraclecommunications_evolved_communications_application_server7.1
oraclecommunications_instant_messaging_server10.0.1.4.0
oraclecommunications_network_charging_and_control{"startIncluding":"12.0.0","endIncluding":"12.0.3"}
oraclecommunications_network_charging_and_control6.0.1
oraclecommunications_session_report_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oraclecommunications_session_route_manager{"startIncluding":"8.2.0","endIncluding":"8.2.2"}
oracleenterprise_manager_base_platform13.3.0.0
oracleenterprise_manager_base_platform13.4.0.0
oraclefinancial_services_analytical_applications_infrastructure{"startIncluding":"8.0.6","endIncluding":"8.1.0"}
oraclefinancial_services_institutional_performance_analytics8.0.6
oraclefinancial_services_institutional_performance_analytics8.0.7
oraclefinancial_services_institutional_performance_analytics8.1.0
oraclefinancial_services_price_creation_and_discovery8.0.6
oraclefinancial_services_price_creation_and_discovery8.0.7
oraclefinancial_services_retail_customer_analytics8.0.6
oracleglobal_lifecycle_management_opatch{"endExcluding":"12.2.0.1.20"}12.2.0.1.20
oracleinsurance_policy_administration_j2ee11.0.2.25
oracleinsurance_policy_administration_j2ee11.1.0.15
oraclejd_edwards_enterpriseone_orchestrator{"endExcluding":"9.2.4.2"}9.2.4.2
oraclejd_edwards_enterpriseone_tools{"endExcluding":"9.2.4.2"}9.2.4.2
oracleprimavera_unifier{"startIncluding":"17.7","endIncluding":"17.12"}
oracleprimavera_unifier16.1
oracleprimavera_unifier16.2
oracleprimavera_unifier18.8
oracleprimavera_unifier19.12
oracleretail_merchandising_system15.0
oracleretail_sales_audit14.1
oracleretail_service_backbone14.1
oracleretail_service_backbone15.0
oracleretail_service_backbone16.0
oracleretail_xstore_point_of_service15.0
oracleretail_xstore_point_of_service16.0
oracleretail_xstore_point_of_service17.0
oracleretail_xstore_point_of_service18.0
oracleretail_xstore_point_of_service19.0
oracleweblogic_server12.2.1.3.0
oracleweblogic_server12.2.1.4.0

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.