高危 FasterXML Jackson Databind XML外部实体注入漏洞

CVE编号

CVE-2020-25649

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-12-04
漏洞描述
FasterXML Jackson Databind存在XML外部实体注入漏洞。攻击者可利用该漏洞导致XML外部实体攻击并破坏数据完整性。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
参考链接
https://bugzilla.redhat.com/show_bug.cgi?id=1887664
https://github.com/FasterXML/jackson-databind/issues/2589
https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8...
https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b5...
https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4...
https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd...
https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d...
https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d324...
https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac6...
https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba81351...
https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65...
https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c4...
https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9...
https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a...
https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b151...
https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953...
https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1...
https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b6115...
https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad...
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee...
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee...
https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de44...
https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3ab...
https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc...
https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025c...
https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae529...
https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae529...
https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a...
https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3a...
https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efa...
https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae...
https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399...
https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf...
https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771...
https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e90...
https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc546...
https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc546...
https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea11...
https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710d...
https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1...
https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec6...
https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d53...
https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d...
https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80b...
https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba3...
https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd...
https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc50453...
https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff32366...
https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243...
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af...
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af...
https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a7358...
https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee...
https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433...
https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e35...
https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b44243...
https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a8...
https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e...
https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e92...
https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde...
https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30...
https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83ae...
https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066b...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.netapp.com/advisory/ntap-20210108-0007/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 fasterxml jackson-databind * Up to
(excluding)
2.6.7.4
运行在以下环境
应用 fasterxml jackson-databind * From
(including)
2.10.0 		Up to
(excluding)
2.10.5.1
运行在以下环境
应用 fasterxml jackson-databind * From
(including)
2.9.0 		Up to
(excluding)
2.9.10.7
运行在以下环境
系统 debian_10 jackson-databind * Up to
(excluding)
2.9.8-3+deb10u3
运行在以下环境
系统 debian_11 jackson-databind * Up to
(excluding)
2.11.1-1
运行在以下环境
系统 debian_12 jackson-databind * Up to
(excluding)
2.11.1-1
运行在以下环境
系统 debian_9 jackson-databind * Up to
(excluding)
2.8.6-1+deb9u8
运行在以下环境
系统 fedora_32 jackson-databind * Up to
(excluding)
2.10.5.1-1.fc32
运行在以下环境
系统 opensuse_Leap_15.3 jackson-bom * Up to
(excluding)
2.13.0-150200.3.6.1
运行在以下环境
系统 opensuse_Leap_15.4 jackson-bom * Up to
(excluding)
2.13.0-150200.3.6.1
阿里云评分
7.9
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    传输被破坏
  • 服务器危害
    服务器失陷
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-611 XML外部实体引用的不恰当限制(XXE)
阿里云安全产品覆盖情况