Overview
- Description
- A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
- Source
- cve@mitre.org
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- CWE-502
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "238F4D80-C84C-4C96-B45D-D73ADE46A3C8",
"versionEndIncluding": "2.9.10.4"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "792DF04A-2D1B-40B5-B960-3E7152732EB8"
},
{
"criteria": "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7DA6E92C-AC3B-40CF-96AE-22CD8769886F"
}
],
"operator": "OR"
}
]
}
]