PT-2021-3164 · Fasterxml+3 · Jackson-Databind+3

Published

2021-01-01

Updated

2025-09-29

CVE-2020-36188

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8 FasterXML jackson-databind versions 2.6.x before 2.6.7.5

Description The issue is related to the interaction between serialization gadgets and typing, specifically with the com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource component. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later. For FasterXML jackson-databind versions 2.6.x before 2.6.7.5, update to version 2.6.7.5 or later. As a temporary workaround, consider disabling the use of com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-1792

BDU:2021-02834

CVE-2020-36188

DLA-2638-1

GHSA-F9XH-2QGP-CQ57

OESA-2021-1051

ROSA-SA-2025-2629

Affected Products

Alt Linux

Astra Linux

Jackson-Databind

Logback

PT-2021-3164 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-36188

Weakness Enumeration

Related Identifiers

Affected Products

References · 43