CVE-2020-36180

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8 FasterXML jackson-databind versions 2.6.x before 2.6.7.5

Description The issue is related to the interaction between serialization gadgets and typing, specifically with the org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS component. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is also related to the restoration of untrusted data in memory.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later. For FasterXML jackson-databind versions 2.6.x before 2.6.7.5, update to version 2.6.7.5 or later. As a temporary workaround, consider disabling the use of the org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS component until a patch is available. Restrict access to sensitive data and functions that may be impacted by this issue to minimize the risk of exploitation.