PT-2021-3159 · Apache+3 · Apache Tomcat+3
Published
2021-01-01
·
Updated
2025-01-28
·
CVE-2020-36186
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FasterXML jackson-databind versions 2.x before 2.9.10.8
Description
The issue is related to the interaction between serialization gadgets and typing, specifically with the
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource component. This can lead to the exploitation of the vulnerability, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.Recommendations
For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later to resolve the issue.
As a temporary workaround, consider disabling the use of the
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource component until a patch is available.Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Apache Tomcat
Jackson-Databind