CVE-2020-25649

Q: What is the severity of CVE-2020-25649?

CVE-2020-25649 has a CVSS score of 7.5 (HIGH). CVE-2020-25649 is an XML external entity (XXE) vulnerability in FasterXML Jackson Databind that allows attackers to read arbitrary files from the server filesystem or cause denial of service through entity expansion attacks. This affects any application using vulnerable versions of Jackson Databind to process XML data. The primary risk is unauthorized data access and potential system disruption.

7.5 HIGH

Denial of Service XXE

📋 TL;DR

CVE-2020-25649 is an XML external entity (XXE) vulnerability in FasterXML Jackson Databind that allows attackers to read arbitrary files from the server filesystem or cause denial of service through entity expansion attacks. This affects any application using vulnerable versions of Jackson Databind to process XML data. The primary risk is unauthorized data access and potential system disruption.

💻 Affected Systems

Products:

FasterXML Jackson Databind
Apache Hive
Apache ZooKeeper
Apache Turbine
Any application using Jackson Databind XML processing

Versions: jackson-databind 2.0.0 through 2.9.10.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects XML processing functionality, not JSON processing. Applications must be configured to use XML data binding features.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure of sensitive data (passwords, keys, configs) and potential denial of service via resource exhaustion.

🟠

Likely Case

Unauthorized reading of server files containing configuration data, credentials, or application source code.

🟢

If Mitigated

Limited impact with proper XML parser configuration disabling external entity processing.

🌐 Internet-Facing: HIGH - Any internet-facing service processing XML with vulnerable Jackson Databind is directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE attacks are well-documented and easily weaponized. Exploitation requires the application to process attacker-controlled XML input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: jackson-databind 2.9.10.8 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2589

Restart Required: Yes

Instructions:

1. Update Jackson Databind dependency to version 2.9.10.8 or later. 2. Update build configuration (Maven/Gradle) to use patched version. 3. Restart application services. 4. Verify no older vulnerable versions are present in classpath.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure XML parser to disable external entity processing before passing to Jackson Databind

XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);

Input validation and filtering

all

Reject XML input containing DOCTYPE declarations or external entity references

// Implement input validation to reject XML with DOCTYPE
if (xmlInput.contains("<!DOCTYPE") || xmlInput.contains("<!ENTITY")) {
    throw new SecurityException("Invalid XML input");
}

🧯 If You Can't Patch

Implement network segmentation to restrict access to vulnerable services
Deploy WAF rules to block XML payloads containing DOCTYPE or ENTITY declarations

🔍 How to Verify

Check if Vulnerable:

Check pom.xml or build.gradle for jackson-databind version < 2.9.10.8, or run: java -cp "*" -Djackson.databind.version

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind

Verify Fix Applied:

Confirm jackson-databind version is 2.9.10.8 or higher in dependencies, and test with XXE payload that should be rejected

📡 Detection & Monitoring

Log Indicators:

XML parsing errors mentioning 'DOCTYPE' or 'ENTITY'
File read attempts from unexpected paths
Increased memory/CPU usage during XML processing

Network Indicators:

HTTP requests with XML payloads containing DOCTYPE declarations
Outbound connections to external URLs from XML parser

SIEM Query:

source="*app.log*" AND ("DOCTYPE" OR "ENTITY" OR "xxe")

📊 Metadata

CVE ID: CVE-2020-25649

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-611

Published: December 3, 2020

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Agile Plm by Oracle

Agile Product Lifecycle Management Integration Pack by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Apis by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Treasury Management by Oracle

Blockchain Platform by Oracle

Coherence by Oracle

Coherence by Oracle

Commerce Platform by Oracle

Commerce Platform by Oracle

Communications Billing And Revenue Management by Oracle

Communications Billing And Revenue Management by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Communications Convergent Charging Controller by Oracle

Communications Evolved Communications Application Server by Oracle

Communications Instant Messaging Server by Oracle

Communications Interactive Session Recorder by Oracle

Communications Interactive Session Recorder by Oracle

Communications Messaging Server by Oracle

Communications Messaging Server by Oracle

Communications Network Charging And Control by Oracle

Communications Offline Mediation Controller by Oracle

Communications Pricing Design Center by Oracle

Communications Services Gatekeeper by Oracle

Communications Unified Inventory Management by Oracle

Fedora by Fedoraproject

Goldengate Application Adapters by Oracle

Health Sciences Empirica Signal by Oracle

Health Sciences Empirica Signal by Oracle

Insurance Policy Administration by Oracle

Insurance Policy Administration by Oracle

Insurance Rules Palette by Oracle

Insurance Rules Palette by Oracle

Iotdb by Apache

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Oncommand Api Services by Netapp

Oncommand Workflow Automation by Netapp

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Quarkus by Quarkus

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Sd Wan Edge by Oracle

Service Level Manager by Netapp

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated