Candidate: CVE-2020-25649
PublicDate: 2020-12-03 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25649
 https://github.com/FasterXML/jackson-databind/issues/2589
 https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59 (jackson-databind-2.11.0.rc1)
Description:
 A flaw was found in FasterXML Jackson Databind, where it did not have
 entity expansion secured properly. This flaw allows vulnerability to XML
 external entity (XXE) attacks. The highest threat from this vulnerability
 is data integrity.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_jackson-databind:
upstream_jackson-databind: released (2.11.1-1)
precise/esm_jackson-databind: DNE
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: DNE
xenial_jackson-databind: ignored (end of standard support, was needed)
bionic_jackson-databind: needed
focal_jackson-databind: needed
groovy_jackson-databind: not-affected (2.11.1-1)
hirsute_jackson-databind: not-affected (2.11.1-1)
impish_jackson-databind: not-affected (2.11.1-1)
jammy_jackson-databind: not-affected (2.11.1-1)
devel_jackson-databind: not-affected (2.11.1-1)