Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2020-25649

XML External Entity (XXE) Injection in Jackson Databind

Description

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Base CVSS

7.5

EPSS Score

0.01%

Introduced Version

2.0.0-RC1

Fix Available

2.9.10.7,2.10.5.1,2.6.7.4

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

com.fasterxml.jackson.core:jackson-databind

References

https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E

https://bugzilla.redhat.com/show_bug.cgi?id=1887664

https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E

https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2022.html

https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E

https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2022.html

https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E

https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E

https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2020-25649

https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E

https://security.netapp.com/advisory/ntap-20210108-0007

https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E

https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E

https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59

https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E

https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677

https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E

https://github.com/FasterXML/jackson-databind/issues/2589

https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E

https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT

https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E

https://github.com/FasterXML/jackson-databind

https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E

https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E

https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E

https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2022.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.