PT-2020-4067 · Fasterxml+3 · Jackson-Databind+3

Published

2020-04-07

Updated

2025-01-28

CVE-2020-11620

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.4

Description: The issue is related to the deserialization mechanism in the FasterXML jackson-databind library, specifically with the commons-jelly component. This can allow a remote attacker to execute arbitrary code in the target system. The problem arises from the mishandling of the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded.

Recommendations: For versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.commons.jelly.impl.Embedded class until a patch is applied.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2021-1792

BDU:2020-04467

CVE-2020-11620

DLA-2179-1

GHSA-H4RC-386G-6M85

MGASA-2021-0153

RHSA-2020:2320

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Commons-Jelly

Jackson-Databind

PT-2020-4067 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-11620

Weakness Enumeration

Related Identifiers

Affected Products

References · 108