CVE-2020-35490

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8

Description The issue is related to the interaction between serialization gadgets and typing, specifically with the org.apache.commons.dbcp2.datasources.PerUserPoolDataSource component. This can lead to the exploitation of the vulnerability, allowing a remote attacker to execute arbitrary code by sending specially crafted data. The vulnerability is associated with the deserialization of untrusted data, which can result in the recovery of an invalid data structure in memory.

Recommendations For versions prior to 2.9.10.8, update to version 2.9.10.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.commons.dbcp2.datasources.PerUserPoolDataSource component until a patch is applied.