CVE-2020-14060

high

Published 2020-06-14 · Modified 2026-05-06

CVSS v3

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.8

VIR risk

8.1

Description

Deserialization of untrusted data in Jackson Databind

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-14060

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/FasterXML/jackson-databind/issues/2688

OS	Version	Status	Fixed in
debian	bookworm	fixed	`2.11.1-1`
debian	bullseye	fixed	`2.11.1-1`
debian	forky	fixed	`2.11.1-1`
debian	sid	fixed	`2.11.1-1`
debian	trixie	fixed	`2.11.1-1`

Ecosystem	Package	Vulnerable	Fixed
Maven	com.fasterxml.jackson.core:jackson-databind	`>=2.9.0,<2.9.10.5`	`2.9.10.5`
MAVEN	com.fasterxml.jackson.core:jackson-databind	`>= 2.9.0, <= 2.9.10.4`	`2.9.10.5`

Vendor	Product	Versions	Fixed
fasterxml	jackson-databind	`{"startIncluding":"2.0.0","endExcluding":"2.9.10.5"}`	`2.9.10.5`
netapp	active_iq_unified_manager	`{"startIncluding":"7.3"}`
netapp	steelstore_cloud_integrated_storage	`-`
oracle	agile_plm	`9.3.6`
oracle	banking_digital_experience	`18.1`
oracle	banking_digital_experience	`18.2`
oracle	banking_digital_experience	`18.3`
oracle	banking_digital_experience	`19.1`
oracle	banking_digital_experience	`19.2`
oracle	banking_digital_experience	`20.1`
oracle	communications_calendar_server	`8.0.0.4.0`
oracle	communications_contacts_server	`8.0.0.5.0`
oracle	communications_diameter_signaling_router	`{"startIncluding":"8.0.0","endIncluding":"8.2.2"}`
oracle	communications_element_manager	`{"startIncluding":"8.2.0","endIncluding":"8.2.2"}`
oracle	communications_evolved_communications_application_server	`7.1`
oracle	communications_session_report_manager	`{"startIncluding":"8.2.0","endIncluding":"8.2.2"}`
oracle	communications_session_route_manager	`{"startIncluding":"8.2.0","endIncluding":"8.2.2"}`

CWE-502

Verify integrity in audit chain (admin only). AS-IS.