PT-2020-5477 · Fasterxml+2 · Jackson-Databind+2

Published

2020-01-31

Updated

2025-09-29

CVE-2020-11113

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.4

Description The issue is related to the org.apache.openjpa.ee.WASRegistryManagedRuntime component of the Jackson-databind library, which mishandles the interaction between serialization gadgets and typing. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of serialization gadgets related to org.apache.openjpa.ee.WASRegistryManagedRuntime to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-1792

BDU:2021-00772

CVE-2020-11113

DLA-2179-1

GHSA-9VVP-FXW6-JCXR

MGASA-2021-0153

RHSA-2020:1523

RHSA-2020:3817

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Jackson-Databind

PT-2020-5477 · Fasterxml+2 · Jackson-Databind+2

CVE-2020-11113

Weakness Enumeration

Related Identifiers

Affected Products

References · 86