CVE-2020-35728

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Risk Information

Base Score

8.1

MODERATE

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Exploitation Probability

39.669

Associated Vulnerability

Vulnerability	OS Platform
Multiple vulnerabilities are fixed in Jackson-databind 2.9.10.8	Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.5	Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.4	Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1	Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2	Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.0.6	Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.2	Windows
Multiple vulnerabilities are fixed in Jackson-databind for Linux 2.9.10.8	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234