CVE-2020-36181

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8 FasterXML jackson-databind version 2.6.7.5

Description The issue is related to the interaction between serialization gadgets and typing, specifically with the org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS component. This can lead to the exploitation of the vulnerability, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is associated with the mishandling of data deserialization.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later. For FasterXML jackson-databind version 2.6.7.5, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of the org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS component until a patch is available.