Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4OGMtY3E0aC04OGdx

High EPSS: 0.00011% (0.01063 Percentile) EPSS:
Permalink JSON

XML External Entity (XXE) Injection in Jackson Databind

Affected Packages Affected Versions Fixed Versions
maven:com.fasterxml.jackson.core:jackson-databind >= 2.6.0, <= 2.6.7.3, >= 2.10.0.0, <= 2.10.5.0, >= 2.7.0.0, <= 2.9.10.6 2.6.7.4, 2.10.5.1, 2.9.10.7
23,566 Dependent packages
244,221 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.9.0, 2.9.1, 2.9.1-0.1, 2.9.1-0.2, 2.9.1-0.3, 2.9.1-0.4, 2.9.1-0.5, 2.9.1-0.6, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.18.0, 2.18.1, 2.18.2, 2.18.3, 2.18.4, 2.19.0, 2.19.1, 2.19.2

All unaffected versions

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

References:

Identifiers

GHSA-288c-cq4h-88gq

CVE-2020-25649

Risk

Severity

High

EPSS

EPSS Percentage: 0.00011

EPSS Percentile: 0.01063

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/FasterXML/jackson-databind

Date and time

Published

over 4 years ago

Updated

over 1 year ago

API

JSON