CVE-2020-14062

HIGH

Fasterxml Jackson-databind < 2.9.10.5 - Insecure Deserialization

Title source: rule

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-14062-jackson-databind-vulnerable
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-14062-jackson-databind-vulnerable

References (9)

Scores

CVSS v3 8.1
EPSS 0.0733
EPSS Percentile 91.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (20)
com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.10.5Maven
debian/debian_linux 8.0
fasterxml/jackson-databind 2.9.0 - 2.9.10.5
netapp/active_iq_unified_manager 7.3 (2 CPE variants)
netapp/active_iq_unified_manager 9.5
netapp/steelstore_cloud_integrated_storage
oracle/agile_plm 9.3.6
oracle/banking_digital_experience 18.1
oracle/banking_digital_experience 18.2
oracle/banking_digital_experience 18.3
... and 10 more
Published Jun 14, 2020
Tracked Since Feb 18, 2026