Is CVE-2020-25649 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 18%.

What products does CVE-2020-25649 affect?

Tracked products affected include Quarkus. Check the version you run to see whether it is affected.

How do I fix CVE-2020-25649?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2020-25649

Q: What is CVE-2020-25649?

CVE-2020-25649 is a high-severity software vulnerability (XML external entity (XXE)) with a CVSS score of 7.5. A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

HIGH severity · CVSS 7.5 · XML external entity (XXE)

7.5CVSS HIGH

Summary

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)18%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products we track (1)

Quarkus

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/FasterXML/jackson-databind/issues/2589 ↗

Additional information

NVD record
https://github.com/FasterXML/jackson-databind/issues/2589Patch
https://bugzilla.redhat.com/show_bug.cgi?id=1887664Advisory
https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E
https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E