PT-2020-5463 · Fasterxml+7 · Jackson-Databind+7

Published

2017-11-01

·

Updated

2025-09-29

·

CVE-2020-10673

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.0.0 through 2.9.10.3 FasterXML jackson-databind versions 2.6.0 through 2.6.7.3
Description The issue is related to the interaction between serialization gadgets and typing, specifically with com.caucho.config.types.ResourceRef (also known as caucho-quercus). This can lead to the deserialization of untrusted data, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.
Recommendations For FasterXML jackson-databind versions 2.0.0 through 2.9.10.3, update to version 2.9.10.4 or later. For FasterXML jackson-databind versions 2.6.0 through 2.6.7.3, update to version 2.6.7.4 or later. As a temporary workaround, consider restricting the use of the com.caucho.config.types.ResourceRef class until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2019_2720
ALSA-2020:1644
ALSA-2020_1644
ALSA-2023_2312
ALSA-2024_3061
ALSA-2025_16880
ALT-PU-2017-2557
ALT-PU-2021-1792
BDU:2021-00714
CESA-2020_1644
CVE-2020-10673
DLA-2153-1
GHSA-FQWF-PJWF-7VQV
MGASA-2021-0153
RHSA-2020:1644
RHSA-2020:3461
RHSA-2020:3462
RHSA-2020:3463
RHSA-2020:3637
RHSA-2020:3638
RHSA-2020:3639
RHSA-2020_1644
RHSA-2025:1746
RLSA-2020:1644
RLSA-2020_1644
ROSA-SA-2025-2629
USN-4813-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Ubuntu
Caucho Quercus
Jackson-Databind