From e7cae2e6a827b5eb8f3fec0d3acbf631d556da00 Mon Sep 17 00:00:00 2001
From: Bishop <fabric8.analytics.cve.bot@gmail.com>
Date: Fri, 3 Jul 2020 06:20:27 +0000
Subject: [PATCH] Add CVE-2020-14061

---
 database/java/2020/14061.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 database/java/2020/14061.yaml

diff --git a/database/java/2020/14061.yaml b/database/java/2020/14061.yaml
new file mode 100644
index 0000000000..1e19838675
--- /dev/null
+++ b/database/java/2020/14061.yaml
@@ -0,0 +1,18 @@
+---
+cve: 2020-14061
+title: CVE in com.fasterxml.jackson.core:jackson-databind
+description: >
+    FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
+cvss_v2: 6.8
+references:
+    - https://github.com/FasterXML/jackson-databind/issues/2698
+    - https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
+    - https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+    - https://security.netapp.com/advisory/ntap-20200702-0003/
+affected:
+    - groupId: com.fasterxml.jackson.core
+      artifactId: jackson-databind
+      version:
+        - "<=2.9.10.4"
+      fixedin:
+        - ">=2.9.10.5"