7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.6%
There is a denial of service vulnerability in FasterXML jackson-databind (CVE-2020-36518) open source library included in IBM Informix Dynamic Server for IBM InformixHQ. FasterXML jackson-databind 2.13.2.2 resolves the vulnerability.
CVEID:CVE-2020-36518
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By using a large depth of nested objects, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Informix Dynamic Server | 14.10.x |
IBM Informix Dynamic Server | 12.10.x |
Based on current information and analysis, this vulnerability is only in the InformixHQ portion of the Informix Server product.
The affected jackson-databind version is included in InformixHQ, but InformixHQ does not allow users to pass arbitrary input to the vulnerable subroutine.
We realize that the vulnerable version of jackson-databind shows up in open source security scans for the InformixHQ component.
You may follow the steps below to upgrade the open source software.
For 14.10 IBM Informix Server
* **14.10.xC8**: [https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/Informix&release=14.10.FC8&platform=All&function=fixId&fixids=InformixHQ-2.0.1&includeRequisites=1&includeSupersedes=0&downloadMethod=http](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EInformation%20Management&product=ibm/Information+Management/Informix&release=14.10.FC8&platform=All&function=fixId&fixids=InformixHQ-2.0.1&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)
For 12.10 IBM Informix Server
* **12.10.xC15**: [https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Information%20Management&product=ibm/Information+Management/Informix&release=12.10.FC15&platform=All&function=fixId&fixids=InformixHQ-2.0.1&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Information%20Management&product=ibm/Information+Management/Informix&release=12.10.FC15&platform=All&function=fixId&fixids=InformixHQ-2.0.1&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true>)
None
CPE | Name | Operator | Version |
---|---|---|---|
informix dynamic server | eq | 12.10. | |
informix dynamic server | eq | 14.10. |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.6%