PT-2021-3167 · Fasterxml+3 · Jackson-Databind+3
Published
2021-01-01
·
Updated
2025-01-28
·
CVE-2020-36185
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FasterXML jackson-databind versions 2.0 through 2.9.10.7
Description
The issue is related to the interaction between serialization gadgets and typing, specifically involving the
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource component. This can lead to the deserialization of untrusted data, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.Recommendations
For FasterXML jackson-databind versions 2.0 through 2.9.10.7, update to version 2.9.10.8 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource component until a patch is available.Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Apache Tomcat
Astra Linux
Jackson-Databind