CVE-2020-25649: jackson-databind

search cancel

CVE-2020-25649: jackson-databind

book

Article ID: 205604

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Code scans have revealed a new vulnerability in Introscope 10.7.0.309: CVE-2020-25649 related to jackson-databind.

Vulnerability Id:

CVE-2020-25649

Description:

Addendum: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases

References:

https://github.com/FasterXML/jackson-databind/commit/e588f0af61b18576779ffb95a2a689a5eb1f9d15

https://github.com/FasterXML/jackson-databind/issues/2589

Filename:

com.fasterxml.jackson.core.jackson-databind-2.9.10.6.jar

Environment

Release : 10.7.0

Component : Introscope

Resolution

An update to jackson-databind-2.9.10.7 was provided in 10.7 Hotfix 75 which is available on request from Broadcom support.

Feedback

thumb_up Yes

thumb_down No