Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2021-221.NASL
HistoryFeb 04, 2021 - 12:00 a.m.

openSUSE Security Update : jackson-databind (openSUSE-2021-221)

2021-02-0400:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18

8.1 High

AI Score

Confidence

High

JSON

This update for jackson-databind fixes the following issues :

jackson-databind was updated to 2.10.5.1 :

  • #2589: DOMDeserializer:
    setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616)

  • #2787 (partial fix): NPE after add mixin for enum

  • #2679: β€˜ObjectMapper.readValue(β€˜123’, Void.TYPE)’ throws β€˜should never occur’

This update was imported from the SUSE:SLE-15-SP2:Update update project.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2021-221.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('compat.inc');

if (description)
{
  script_id(146144);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/24");

  script_cve_id("CVE-2020-25649", "CVE-2020-35728", "CVE-2021-20190");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"openSUSE Security Update : jackson-databind (openSUSE-2021-221)");

  script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"This update for jackson-databind fixes the following issues :

jackson-databind was updated to 2.10.5.1 :

  - #2589: `DOMDeserializer`:
    setExpandEntityReferences(false) may not prevent
    external entity expansion in all cases (CVE-2020-25649,
    bsc#1177616)

  - #2787 (partial fix): NPE after add mixin for enum

  - #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws
    'should never occur'

This update was imported from the SUSE:SLE-15-SP2:Update update
project.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1177616");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1180391");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1181118");
  script_set_attribute(attribute:"solution", value:
"Update the affected jackson-databind packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-20190");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/02/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jackson-databind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jackson-databind-javadoc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE15.2", reference:"jackson-databind-2.10.5.1-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"jackson-databind-javadoc-2.10.5.1-lp152.2.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jackson-databind / jackson-databind-javadoc");
}
VendorProductVersionCPE
novellopensusejackson-databindp-cpe:/a:novell:opensuse:jackson-databind
novellopensusejackson-databind-javadocp-cpe:/a:novell:opensuse:jackson-databind-javadoc
novellopensuse15.2cpe:/o:novell:opensuse:15.2

Related

openvas 7
ibm 49
github 3
veracode 3
redhatcve 3
githubexploit 1
prion 3
debiancve 3
osv 8
cve 3
ubuntucve 3
nessus 18
redhat 20
atlassian 1
debian 2
fedora 1
suse 1
threatpost 1
mageia 1
hp 1
oracle 9
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2021:0243-1)
2021-06-09 00:00:00
Fedora: Security Advisory for jackson-databind (FEDORA-2021-1d8254899c)
2021-02-10 00:00:00
Debian: Security Advisory (DLA-2406-1)
2020-10-15 00:00:00
ibm
ibm
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
2021-02-27 03:41:33
Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728)
2022-02-07 17:33:02
Security Bulletin: jackson-databind vulnerability CVE-2020-35728 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0
2021-03-03 08:02:04
github
github
Serialization gadget exploit in jackson-databind
2021-12-09 19:15:24
XML External Entity (XXE) Injection in Jackson Databind
2021-02-18 20:51:54
Deserialization of untrusted data in jackson-databind
2021-01-20 21:20:15
veracode
veracode
Remote Code Execution (RCE)
2020-12-28 03:59:12
XML External Entity (XXE)
2020-10-15 05:10:32
Arbitrary Code Execution
2021-01-21 06:47:32
redhatcve
redhatcve
CVE-2020-35728
2020-12-29 19:59:34
CVE-2021-20190
2021-01-18 09:15:28
CVE-2020-25649
2020-10-13 20:16:54
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
2020-12-31 01:55:39
prion
prion
Code injection
2020-12-27 05:15:00
Design/Logic Flaw
2021-01-19 17:15:00
Xxe
2020-12-03 17:15:00
debiancve
debiancve
CVE-2020-35728
2020-12-27 05:15:00
CVE-2020-25649
2020-12-03 17:15:00
CVE-2021-20190
2021-01-19 17:15:00
osv
osv
Serialization gadget exploit in jackson-databind
2021-12-09 19:15:24
CVE-2020-35728
2020-12-27 05:15:11
CVE-2021-20190
2021-01-19 17:15:13
cve
cve
CVE-2020-35728
2020-12-27 05:15:00
CVE-2021-20190
2021-01-19 17:15:00
CVE-2020-25649
2020-12-03 17:15:00
ubuntucve
ubuntucve
CVE-2020-35728
2020-12-27 00:00:00
CVE-2021-20190
2021-01-19 00:00:00
CVE-2020-25649
2020-12-03 00:00:00
nessus
nessus
RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:4312)
2023-01-23 00:00:00
Debian DLA-2406-1 : jackson-databind security update
2020-10-15 00:00:00
RHEL 8 : RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4] (Low) (RHSA-2021:0381)
2021-02-03 00:00:00
redhat
redhat
(RHSA-2020:4379) Important: Red Hat build of Eclipse Vert.x 3.9.4 security update
2020-11-09 16:15:41
(RHSA-2021:1260) Low: Red Hat AMQ Streams 1.7.0 release and security update
2021-04-19 17:59:54
(RHSA-2021:0381) Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
2021-02-02 13:32:57
atlassian
atlassian
XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server
2023-12-07 21:45:20
debian
debian
[SECURITY] [DLA 2406-1] jackson-databind security update
2020-10-14 10:31:09
[SECURITY] [DLA 2638-1] jackson-databind security update
2021-04-24 20:50:12
fedora
fedora
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32
2021-02-10 01:30:26
suse
suse
Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (important)
2022-05-16 00:00:00
threatpost
threatpost
IBM Squashes Critical Remote Code-Execution Flaw
2021-02-23 19:36:32
mageia
mageia
Updated jackson-databind packages fix security vulnerabilities
2021-03-27 17:27:02
hp
hp
HP Device Manager Security Updates
2023-10-20 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

8.1 High

AI Score

Confidence

High

JSON
Related for OPENSUSE-2021-221.NASL
openvas7ibm49github3veracode3redhatcve3githubexploit1prion3debiancve3osv8cve3ubuntucve3nessus18redhat20atlassian1debian2fedora1suse1threatpost1mageia1hp1oracle9