CVE-2020-14195

HIGH

Fasterxml Jackson-databind < 2.9.10.5 - Insecure Deserialization

Title source: rule

Description

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

Exploits (3)

nomisec WORKING POC 1 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2020-14195
nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-14195-jackson-databind-vulnerable
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-14195-jackson-databind-vulnerable

References (8)

Scores

CVSS v3 8.1
EPSS 0.0906
EPSS Percentile 92.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (21)
com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.10.5Maven
debian/debian_linux 8.0
fasterxml/jackson-databind 2.9.0 - 2.9.10.5
netapp/active_iq_unified_manager 7.3 (2 CPE variants)
netapp/active_iq_unified_manager 9.5
netapp/steelstore_cloud_integrated_storage
oracle/agile_plm 9.3.6
oracle/banking_digital_experience 18.1
oracle/banking_digital_experience 18.2
oracle/banking_digital_experience 18.3
... and 11 more
Published Jun 16, 2020
Tracked Since Feb 18, 2026