CVE-2020-24750: High severity fasterxml jackson-databind vulnerability

Published Sep 17, 2020
·
Updated

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and system availability.

Other sources

FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Affected Software

42 affected componentsFixes available
maven/com.fasterxml.jackson.core:jackson-databind>=2.7.0<=2.9.10.5
2.9.10.6
maven/com.fasterxml.jackson.core:jackson-databind>=2.0<=2.6.7.4
2.6.7.5
redhat/rh-maven35-jackson-databind<0:2.7.6-2.11.el7
0:2.7.6-2.11.el7
fasterxml jackson-databind>=2.0.0<2.6.7.5
fasterxml jackson-databind>=2.7.0<2.9.10.6
Oracle Agile PLM=9.3.6
Oracle Application Testing Suite=13.3.0.1
Oracle Autovue For Agile Product Lifecycle Management=21.0.2
Oracle Banking Corporate Lending Process Management=14.2.0
Oracle Banking Corporate Lending Process Management=14.3.0
Oracle Banking Corporate Lending Process Management=14.5.0
Oracle Banking Credit Facilities Process Management=14.2.0
Oracle Banking Credit Facilities Process Management=14.3.0
Oracle Banking Credit Facilities Process Management=14.5.0
Oracle Banking Liquidity Management=14.2
Oracle Banking Liquidity Management=14.3
Oracle Banking Liquidity Management=14.5
Oracle Banking Supply Chain Finance=14.2.0
Oracle Banking Supply Chain Finance=14.3.0
Oracle Banking Supply Chain Finance=14.5.0
Oracle Blockchain Platform<21.1.2
Oracle Communications Calendar Server=8.0
Oracle Communications Calendar Server=8.0.0.4.0
Oracle Communications Contacts Server=8.0
Oracle Communications Contacts Server=8.0.0.5.0
Oracle Communications Diameter Signaling Router>=8.0.0<=8.2.2
Oracle Communications Element Manager>=8.2.0<=8.2.4.0
Oracle Communications Instant Messaging Server=10.0.1.5.0
Oracle Communications Messaging Server=8.1
Oracle Communications Offline Mediation Controller=12.0.0.3.0
Oracle Communications Policy Management=12.5.0
Oracle Communications Pricing Design Center=12.0.0.4.0
Oracle Communications Services Gatekeeper=7.0
Oracle Communications Session Report Manager>=8.0.0.0<=8.2.2.1
Oracle Communications Session Route Manager>=8.2.0<=8.2.2.1
Oracle Communications Unified Inventory Management=7.4.1
Oracle Identity Manager Connector=11.1.1.5.0
Oracle Siebel Core - Server Framework<=21.5
Oracle Siebel UI Framework<=21.2
Debian Debian Linux=9.0
redhat/jackson-databind<2.9.10.6
2.9.10.6
IBM InfoSphere Data Architect<=9.2.1

Remediation

Patch Available

https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b

Patch Available

https://github.com/FasterXML/jackson-databind/issues/2798

Patch Available

https://www.oracle.com//security-alerts/cpujul2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Information

The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid com.pastdev.httpcomponents in the classpath

Event History

Sep 17, 2020
CVE Published
via MITRE·06:39 PM
Data Sourced
via MITRE·06:39 PM
Description
Sep 24, 2020
Data Sourced
via Red Hat·10:06 AM
DescriptionSeverityAffected Software
Dec 9, 2021
Advisory Published
07:15 PM
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-24750?

CVE-2020-24750 is a vulnerability in jackson-databind versions prior to 2.9.10.6 which mishandles the interaction between serialization gadgets and typing.

2

What is the severity of CVE-2020-24750?

CVE-2020-24750 has a severity rating of 8.1, which is categorized as high.

3

How does CVE-2020-24750 impact data confidentiality?

CVE-2020-24750 poses a threat to data confidentiality.

4

How does CVE-2020-24750 impact system availability?

CVE-2020-24750 poses a threat to system availability.

5

How can I fix CVE-2020-24750?

To fix CVE-2020-24750, update to jackson-databind version 2.9.10.6 or higher.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203