PT-2020-4192 · Fasterxml+3 · Jackson-Databind+3

Published

2020-06-14

Updated

2025-07-10

CVE-2020-14062

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.5

Description: The issue is related to the deserialization mechanism in the Jackson-databind library, specifically with the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool component. This can allow a remote attacker to execute arbitrary code. The problem arises from the interaction between serialization gadgets and typing.

Recommendations: For FasterXML jackson-databind versions 2.x before 2.9.10.5, update to version 2.9.10.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool component until a patch is applied.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2021-1792

BDU:2020-04626

CVE-2020-14062

DLA-2270-1

GHSA-C265-37VJ-CWCC

MGASA-2021-0153

RHSA-2020:4366

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Red Os

Ubuntu

Jackson-Databind

PT-2020-4192 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-14062

Weakness Enumeration

Related Identifiers

Affected Products

References · 87