XXE in Apache Iotdb
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Vulnerability class: XXE (XML External Entity)
EPSS: 0.176 (96.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Affected products
- Apache Iotdb
- Fasterxml Jackson-databind
- Netapp Oncommand_api_services
- Netapp Oncommand_workflow_automation
- Netapp Service_level_manager
- Oracle Agile_plm — versions 9.3.6
- Oracle Agile_product_lifecycle_management_integration_pack — versions 3.6
- Oracle Banking_apis — versions 19.1, 19.2, 20.1
- Oracle Banking_platform — versions 2.6.2, 2.7.0, 2.7.1
- Oracle Banking_treasury_management — versions 4.4
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (Third Party Advisory, x_refsource_MISC, Issue Tracking)
- secalert@redhat.com (Patch, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
- secalert@redhat.com (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-25649?
- CVE-2020-25649 is a high-severity vulnerability in Apache Iotdb, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2020-12-03.
- How severe is CVE-2020-25649?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2020-25649 known to be exploited?
- 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.