CVE-2020-36187

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.8

Description The issue is related to the interaction between serialization gadgets and typing, specifically involving the org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource component. This can lead to the deserialization of untrusted data, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.8, update to version 2.9.10.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource component until a patch is available.