CVE-2020-25649

NameCVE-2020-25649
DescriptionA flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2406-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)stretch2.8.6-1+deb9u7vulnerable
stretch (security)2.8.6-1+deb9u9fixed
buster2.9.8-3+deb10u2vulnerable
buster (security)2.9.8-3+deb10u1vulnerable
bullseye, sid2.12.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcestretch2.8.6-1+deb9u8DLA-2406-1
jackson-databindsource(unstable)2.11.1-1

Notes

[buster] - jackson-databind <no-dsa> (Minor issue)
https://github.com/FasterXML/jackson-databind/issues/2589
https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59 (jackson-databind-2.11.0.rc1)

Search for package or bug name: Reporting problems