CVE-2020-35728

HIGH

jackson-databind 2.9.0-2.9.10.7 - Deserialization of Untrusted Data via JNDIConnectionPool

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-35728. PoCs published by Al1ex, dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-35728, demonstrating deserialization-based RCE in FasterXML jackson-databind via the JNDIConnectionPool gadget. The PoC includes Maven dependencies and Java code to trigger the vulnerability.

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Exploits (3)

nomisec WORKING POC 42 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2020-35728

This repository contains a functional exploit for CVE-2020-35728, demonstrating deserialization-based RCE in FasterXML jackson-databind via the JNDIConnectionPool gadget. The PoC includes Maven dependencies and Java code to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: FasterXML jackson-databind 2.x before 2.9.10.8
No auth needed
Prerequisites: Vulnerable version of jackson-databind · LDAP server for JNDI injection
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-35728-jackson-databind-vulnerable

This repository contains a vulnerable version of Jackson Databind (2.9.0) that can be used to demonstrate CVE-2020-35728, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.9.0
No auth needed
Prerequisites: Java environment · Jackson Databind 2.9.0 dependency
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-35728-jackson-databind-vulnerable

This repository contains a functional exploit for CVE-2020-35728, a deserialization vulnerability in Jackson Databind. The provided code includes modified Jackson Databind source files to demonstrate the vulnerability, along with scripts to compile and run the exploit.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind (versions affected by CVE-2020-35728)
No auth needed
Prerequisites: Java runtime environment · Vulnerable version of Jackson Databind
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/FasterXML/jackson-databind/issues/2999
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210129-0007/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 8.1
EPSS 0.1250
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (50)
com.fasterxml.jackson.core/jackson-databind 2.0.0 - 2.9.10.8Maven
debian/debian_linux 9.0
fasterxml/jackson-databind 2.9.0 - 2.9.10.8
netapp/service_level_manager
oracle/agile_plm 9.3.6
oracle/application_testing_suite 13.3.0.1
oracle/autovue 21.0.2
oracle/banking_corporate_lending_process_management 14.2
oracle/banking_corporate_lending_process_management 14.3
oracle/banking_corporate_lending_process_management 14.5
... and 40 more
Published Dec 27, 2020
Tracked Since Feb 18, 2026