PT-2020-3306 · Fasterxml+7 · Jackson-Databind+7

Published

2020-03-01

·

Updated

2025-09-29

·

CVE-2020-9547

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.7.9.6 and earlier, 2.8.11.5 and earlier, 2.9.10.3 and earlier
Description The issue is related to the interaction between serialization gadgets and typing in the FasterXML jackson-databind library, specifically with the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig component. This can lead to a denial of service when exploited by a remote attacker.
Recommendations For FasterXML jackson-databind versions 2.7.9.6 and earlier, update to version 2.7.9.7 or later. For FasterXML jackson-databind versions 2.8.11.5 and earlier, update to version 2.8.11.6 or later. For FasterXML jackson-databind versions 2.9.10.3 and earlier, update to version 2.9.10.4 or later.

Exploit

Fix

RCE

DoS

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2020:1644
ALSA-2025_16880
ALT-PU-2021-1792
BDU:2020-03617
CESA-2020_1644
CVE-2020-9547
DLA-2135-1
GHSA-Q93H-JC49-78GG
MGASA-2021-0153
RHSA-2020:1644
RHSA-2020:2511
RHSA-2020:2512
RHSA-2020:2513
RHSA-2020:3637
RHSA-2020:3638
RHSA-2020:3639
RHSA-2020:4366
RHSA-2020_1644
RHSA-2025:1746
RLSA-2020:1644
RLSA-2020_1644
ROSA-SA-2025-2629
USN-4813-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Red Os
Rocky Linux
Ubuntu
Jackson-Databind