PT-2020-3965 · Fasterxml+3 · Jackson-Databind+3

Published

2020-08-25

Updated

2025-09-29

CVE-2020-24616

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x prior to 2.9.10.6

Description: The issue is related to the mishandling of the interaction between serialization gadgets and typing in FasterXML jackson-databind, specifically with the component br.com.anteros.dbcp.AnterosDBCPDataSource, also known as Anteros-DBCP. This can allow a remote attacker to impact data integrity, gain access to confidential data, and cause a denial of service.

Recommendations: For FasterXML jackson-databind versions 2.x prior to 2.9.10.6, update to version 2.9.10.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the br.com.anteros.dbcp.AnterosDBCPDataSource component until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-94

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-1792

BDU:2020-04358

CVE-2020-24616

DLA-2638-1

GHSA-H3CW-G4MQ-C5X2

ROSA-SA-2025-2629

Affected Products

Alt Linux

Anterosdbcpdatasource

Astra Linux

Jackson-Databind

PT-2020-3965 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-24616

Weakness Enumeration

Related Identifiers

Affected Products

References · 30