https://bugzilla.redhat.com/show_bug.cgi?id=1821304
Bug ID: 1821304
Summary: CVE-2020-11111 jackson-databind: jackson-databind:
mishandles the interaction between serialization
gadgets and typing related to org.apache.activemq.*
which could result in remote command execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mkaplan(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bgeorges(a)redhat.com, bmaxwell(a)redhat.com,
bmontgom(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jschatte(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
kbasil(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com,
mburns(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
paradhya(a)redhat.com, pdrozd(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jackson-databind 2.x before 2.9.10.4 mishandles
the interaction between serialization gadgets and typing, related to
org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and
activemq-pool-jms).
--
You are receiving this mail because:
You are on the CC list for the bug.