PT-2020-6950 · Fasterxml+3 · Jackson-Databind+3

Published

2020-12-17

Updated

2025-01-28

CVE-2020-35491

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8

Description The issue is related to the interaction between serialization gadgets and typing, which can lead to the exploitation of the vulnerability. This may allow a remote attacker to execute arbitrary code. The vulnerability is also related to the org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of serialization gadgets and typing to minimize the risk of exploitation. Additionally, restrict access to the org.apache.commons.dbcp2.datasources.SharedPoolDataSource to reduce the attack surface.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-913

Related Identifiers

ALT-PU-2021-1792

BDU:2024-00113

CVE-2020-35491

DLA-2638-1

GHSA-R3GR-CXRF-HG25

OESA-2021-1014

ROSA-SA-2025-2629

Affected Products

Alt Linux

Apache Commons Dbcp

Astra Linux

Jackson-Databind

PT-2020-6950 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-35491

Weakness Enumeration

Related Identifiers

Affected Products

References · 35