CVE-2020-25649 — jackson-databind - security update

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

How to fix CVE-2020-25649

To remediate CVE-2020-25649, upgrade the affected package to a fixed version below.

Debian/jackson-databind—upgrade to 2.11.1-1 or later
—upgrade to 2.8.6-1+deb9u8 or later
—upgrade to 2.6.7.4 or later

Is CVE-2020-25649 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.11.1-1
from 0, < 2.8.6-1+deb9u8
>= 2.6.0, < 2.6.7.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (76)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25649
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-25649
PATCHgithub.com/FasterXML/jackson-databind
WEBbugzilla.redhat.com/show_bug.cgi?id=1887664