PT-2020-5499 · Fasterxml+2 · Jackson-Databind+2
Published
2020-09-17
·
Updated
2025-09-29
·
CVE-2020-24750
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FasterXML jackson-databind versions 2.0.0 through 2.6.7.4
FasterXML jackson-databind versions 2.7.0 through 2.9.10.5
Description
The issue is related to the interaction between serialization gadgets and typing in the FasterXML jackson-databind library, specifically with the com.pastdev.httpcomponents.configuration.JndiConfiguration class. This can lead to the deserialization of untrusted data, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.
Recommendations
For FasterXML jackson-databind versions 2.0.0 through 2.6.7.4, update to version 2.6.7.5 or later.
For FasterXML jackson-databind versions 2.7.0 through 2.9.10.5, update to version 2.9.10.6 or later.
As a temporary workaround, consider disabling the use of the com.pastdev.httpcomponents.configuration.JndiConfiguration class until a patch is available.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Jackson-Databind