PT-2020-4068 · Fasterxml+4 · Jackson-Databind+4

Published

2020-04-07

Updated

2025-07-10

CVE-2020-11619

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.4

Description: The issue is related to the interaction between serialization gadgets and typing in FasterXML jackson-databind, specifically with the org.springframework.aop.config.MethodLocatingFactoryBean component. This can be exploited by a remote attacker to execute arbitrary code in the target system. The vulnerability is associated with deficiencies in the deserialization mechanism.

Recommendations: For FasterXML jackson-databind versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later to resolve the issue. As a temporary workaround, consider disabling the use of the org.springframework.aop.config.MethodLocatingFactoryBean component until a patch is applied. Restrict access to sensitive data and minimize the use of deserialization to reduce the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2021-1792

BDU:2020-04468

CVE-2020-11619

DLA-2179-1

GHSA-27XJ-RQX5-2255

MGASA-2021-0153

RHSA-2020:2320

RHSA-2020:4366

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Methodlocatingfactorybean

Red Os

Ubuntu

Jackson-Databind

PT-2020-4068 · Fasterxml+4 · Jackson-Databind+4

CVE-2020-11619

Weakness Enumeration

Related Identifiers

Affected Products

References · 85