PT-2020-5529 · Fasterxml+4 · Jackson-Databind+4

Published

2020-12-27

Updated

2025-09-29

CVE-2020-35728

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8

Description The issue is related to the mishandling of the interaction between serialization gadgets and typing in the Jackson-databind library, specifically with com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool, also known as embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the serialization gadgets and typing features related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool until a patch is applied.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-1792

BDU:2021-01045

CVE-2020-35728

DLA-2638-1

GHSA-5R5R-6HPJ-8GG9

MGASA-2021-0153

OESA-2021-1014

OPENSUSE-SU-2024:10868-1

ROSA-SA-2025-2629

SUSE-SU-2021:0243-1

SUSE-SU-2021_0243-1

Affected Products

Alt Linux

Astra Linux

Suse

Xalan

Jackson-Databind

PT-2020-5529 · Fasterxml+4 · Jackson-Databind+4

CVE-2020-35728

Weakness Enumeration

Related Identifiers

Affected Products

References · 62