CVE-2020-36186: High severity fasterxml jackson-databind vulnerability

Q: What is the severity of CVE-2020-36186?

The severity of CVE-2020-36186 is significant, as it poses risks to data confidentiality, integrity, and system availability.

Q: How do I fix CVE-2020-36186?

To fix CVE-2020-36186, upgrade to FasterXML jackson-databind version 2.9.10.8 or later.

Q: Which versions of jackson-databind are affected by CVE-2020-36186?

CVE-2020-36186 affects FasterXML jackson-databind versions prior to 2.9.10.8.

Q: What types of attacks exploit CVE-2020-36186?

CVE-2020-36186 can be exploited through serialization gadget attacks that may compromise sensitive data.

Q: Is CVE-2020-36186 a critical vulnerability?

While CVE-2020-36186 is not rated as critical, it poses a serious risk that requires prompt attention and mitigation.

Published Dec 23, 2020

Updated

A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Other sources

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Affected Software

78 affected componentsFixes available

maven/com.fasterxml.jackson.core:jackson-databind>=2.0.0<2.9.10.8

2.9.10.8

fasterxml jackson-databind>=2.0.0<2.6.7.5

fasterxml jackson-databind>=2.7.0<2.9.10.8

NetApp Cloud Backup

NetApp Service Level Manager

Debian Debian Linux=9.0

Oracle Agile PLM=9.3.6

Oracle Application Testing Suite=13.3.0.1

Oracle Autovue For Agile Product Lifecycle Management=21.0.2

Oracle Banking Corporate Lending Process Management=14.2

Oracle Banking Corporate Lending Process Management=14.3

Oracle Banking Corporate Lending Process Management=14.5

Oracle Banking Credit Facilities Process Management=14.2

Oracle Banking Credit Facilities Process Management=14.3

Oracle Banking Credit Facilities Process Management=14.5

Oracle Banking Extensibility Workbench=14.2

Oracle Banking Extensibility Workbench=14.3

Oracle Banking Extensibility Workbench=14.5

Oracle Banking Supply Chain Finance=14.2

Oracle Banking Supply Chain Finance=14.3

Oracle Banking Supply Chain Finance=14.5

Oracle Banking Treasury Management=4.4

Oracle Banking Virtual Account Management=14.2.0

Oracle Banking Virtual Account Management=14.3.0

Oracle Banking Virtual Account Management=14.5.0

Oracle Blockchain Platform<=21.1.2

Oracle Commerce Platform>=11.3.0<=11.3.2

Oracle Commerce Platform=11.2.0

Oracle Communications Billing and Revenue Management=7.5.0.23.0

Oracle Communications Billing and Revenue Management=12.0.0.3.0

Oracle Communications Cloud Native Core Policy=1.14.0

Oracle Communications Cloud Native Core Unified Data Repository=1.4.0

Oracle Communications Convergent Charging Controller=12.0.4.0.0

Oracle Communications Diameter Signaling Route>=8.0.0.0<=8.5.0.0

Oracle Communications Element Manager>=8.2.0.0<=8.2.4.0

Oracle Communications Evolved Communications Application Server=7.1

Oracle Communications Instant Messaging Server=10.0.1.5.0

Oracle Communications Network Charging And Control=12.0.4.0.0

Oracle Communications Offline Mediation Controller=12.0.0.3

Oracle Communications Policy Management=12.5.0

Oracle Communications Pricing Design Center=12.0.0.4.0

Oracle Communications Services Gatekeeper=7.0

Oracle Communications Session Report Manager>=8.0.0.0<=8.2.2.1

Oracle Communications Session Route Manager>=8.2.0.0<=8.2.2.1

Oracle Communications Unified Inventory Management=7.4.1

Oracle Data Integrator=12.2.1.4.0

Oracle Documaker=12.6.0

Oracle Documaker=12.6.3

Oracle Documaker=12.6.4

Oracle Goldengate Application Adapters=19.1.0.0.0

Oracle Insurance Policy Administration>=11.1.0<=11.3.0

Oracle Insurance Policy Administration=11.0.2

Oracle Insurance Rules Palette>=11.1.0<=11.3.0

Oracle Insurance Rules Palette=11.0.2

Oracle JD Edwards EnterpriseOne Orchestrator<9.2.5.3

Oracle JD Edwards EnterpriseOne Tools<9.2.5.3

Oracle Primavera Gateway>=17.12.0<=17.12.11

Oracle Primavera Gateway>=18.8.0<=18.8.11

Oracle Primavera Gateway>=19.12.0<=19.12.10

Oracle Primavera Gateway=20.12.0

Oracle Primavera Unifier>=17.7<=17.12

Oracle Primavera Unifier=17.2

Oracle Primavera Unifier=18.8

Oracle Primavera Unifier=19.12

Oracle Primavera Unifier=20.12

Oracle Retail Customer Management and Segmentation Foundation>=16.0<=19.0

Oracle Retail Merchandising System=15.0.3

Oracle Retail Service Backbone=14.1.3.2

Oracle Retail Service Backbone=15.0.3.1

Oracle Retail Service Backbone=16.0.3.0

Oracle Retail Xstore Point of Service=16.0.6

Oracle Retail Xstore Point of Service=17.0.4

Oracle Retail Xstore Point of Service=18.0.3

Oracle Retail Xstore Point of Service=19.0.2

Oracle WebCenter Portal=12.2.1.3.0

Oracle WebCenter Portal=12.2.1.4.0

redhat/jackson-databind<2.9.10.8

2.9.10.8

IBM InfoSphere Data Architect<=9.2.1

Remediation

Information

The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid: oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS, org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool, org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource, com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource, com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource in the classpath

Event History

Dec 23, 2020

CVE Published

12:00 AM

Data Sourced

12:00 AM

RemedyDescriptionSeverityWeaknessAffected Software

Jan 6, 2021

CVE Published

via MITRE·10:29 PM

Data Sourced

via MITRE·10:29 PM

Description

Jan 7, 2021

Data Sourced

via Red Hat·07:55 PM

DescriptionSeverityAffected Software

Nov 19, 2021

Advisory Published

08:13 PM

Mar 4, 2026

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is the severity of CVE-2020-36186?

The severity of CVE-2020-36186 is significant, as it poses risks to data confidentiality, integrity, and system availability.

How do I fix CVE-2020-36186?

To fix CVE-2020-36186, upgrade to FasterXML jackson-databind version 2.9.10.8 or later.

Which versions of jackson-databind are affected by CVE-2020-36186?

CVE-2020-36186 affects FasterXML jackson-databind versions prior to 2.9.10.8.

What types of attacks exploit CVE-2020-36186?

CVE-2020-36186 can be exploited through serialization gadget attacks that may compromise sensitive data.

Is CVE-2020-36186 a critical vulnerability?

While CVE-2020-36186 is not rated as critical, it poses a serious risk that requires prompt attention and mitigation.

CVE-2020-36186: High severity fasterxml jackson-databind vulnerability

Other sources

Affected Software

Remediation

Patch Available

Patch Available

Patch Available

Patch Available

Information

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2020-36186?

How do I fix CVE-2020-36186?

Which versions of jackson-databind are affected by CVE-2020-36186?

What types of attacks exploit CVE-2020-36186?

Is CVE-2020-36186 a critical vulnerability?

Company

Resources

Contact