{"id":"CVE-2020-25649","details":"A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.","aliases":["GHSA-288c-cq4h-88gq"],"modified":"2026-04-16T04:35:48.164960864Z","published":"2020-12-03T17:15:12.503Z","related":["CGA-vmwr-24f3-3728","SUSE-SU-2021:0243-1","SUSE-SU-2022:1678-1","openSUSE-SU-2024:10868-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210108-0007/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1887664"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-databind/issues/2589"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/FasterXML/jackson-databind","events":[{"introduced":"21f90cf247018c1286cc20544029782450dc270a"},{"fixed":"fe5805bb27111c6fd010b04e7dc92a7536869301"},{"introduced":"e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8"},{"fixed":"d0e9952ea70d1af5c512322a32456f237afb9e9b"},{"introduced":"a1eedfdeea46f2a8da0ed23f06e7e1d39050499b"},{"fixed":"94484ca0177dd02c3ed83a5a5bbbcffc07a44d03"},{"introduced":"0"},{"last_affected":"3739d9dfbf24b6822b90274ba346ad209eb289fd"},{"introduced":"0"},{"last_affected":"50791cc7856376949287e0be3e96147665ab8f68"},{"introduced":"0"},{"last_affected":"ce9dc07af83f77568a613fd45a86f58c93ba1a02"},{"introduced":"0"},{"last_affected":"81929fad84189ce59ef82e7a6d0df795eb0c7cdb"},{"introduced":"0"},{"last_affected":"e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8"},{"introduced":"0"},{"last_affected":"a1eedfdeea46f2a8da0ed23f06e7e1d39050499b"}],"database_specific":{"versions":[{"introduced":"2.6.0"},{"fixed":"2.6.7.4"},{"introduced":"2.9.0"},{"fixed":"2.9.10.7"},{"introduced":"2.10.0"},{"fixed":"2.10.5.1"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"2.7.0"},{"introduced":"0"},{"last_affected":"2.7.1"},{"introduced":"0"},{"last_affected":"2.8.0"},{"introduced":"0"},{"last_affected":"2.9.0"},{"introduced":"0"},{"last_affected":"2.10.0"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"76871146a2f242c252fc43676f43756adca218e2"},{"introduced":"0"},{"fixed":"4dfd4d772708cee62da0a0170d81b586e12ca565"},{"introduced":"0"},{"last_affected":"dc364b898175400962224393f9eb82d3e0ab2efb"},{"introduced":"0"},{"last_affected":"78c7b1ddd04d9cc2c2a939dbeed9e8c8e223435a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.6.1"},{"introduced":"0"},{"fixed":"0.12.0"},{"introduced":"0"},{"last_affected":"3.6"},{"introduced":"0"},{"last_affected":"1.4.0"}]}}],"versions":["1.4.0.Final","1.6.1.Final","3.6.0","jackson-databind-2.10.0","jackson-databind-2.10.1","jackson-databind-2.10.2","jackson-databind-2.10.3","jackson-databind-2.10.4","jackson-databind-2.10.5","jackson-databind-2.6.0","jackson-databind-2.6.1","jackson-databind-2.6.2","jackson-databind-2.6.3","jackson-databind-2.6.4","jackson-databind-2.6.5","jackson-databind-2.6.6","jackson-databind-2.6.7","jackson-databind-2.6.7.1","jackson-databind-2.6.7.2","jackson-databind-2.6.7.3","jackson-databind-2.7.0","jackson-databind-2.7.0-rc1","jackson-databind-2.7.0-rc2","jackson-databind-2.7.0-rc3","jackson-databind-2.7.1","jackson-databind-2.7.1-1","jackson-databind-2.8.0","jackson-databind-2.9.0","jackson-databind-2.9.1","jackson-databind-2.9.10","jackson-databind-2.9.10.1","jackson-databind-2.9.10.2","jackson-databind-2.9.10.3","jackson-databind-2.9.10.4","jackson-databind-2.9.10.5","jackson-databind-2.9.10.6","jackson-databind-2.9.3","jackson-databind-2.9.4","jackson-databind-2.9.5","jackson-databind-2.9.6","jackson-databind-2.9.7","jackson-databind-2.9.8","jackson-databind-2.9.9","jackson-databind-2.9.9.1","jackson-databind-2.9.9.2","jackson-databind-2.9.9.3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"18.1"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4"}]},{"events":[{"introduced":"0"},{"fixed":"21.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"11.3.0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5.0.23.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0.1.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1"}]},{"events":[{"introduced":"11.1.0"},{"last_affected":"11.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"11.1.0"},{"last_affected":"11.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"0"},{"fixed":"9.2.5.3"}]},{"events":[{"introduced":"0"},{"fixed":"9.2.5.3"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.11"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.10"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.3.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.3.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25649.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}