CVE-2020-35728

HIGH

Fasterxml Jackson-databind < 2.9.10.8 - Insecure Deserialization

Title source: rule

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Exploits (3)

nomisec WORKING POC 42 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2020-35728

View Code ZIP pw:eip

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-35728-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-35728-jackson-databind-vulnerable

View Code ZIP pw:eip

References (10)

[Various Sources] https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2999

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210129-0007/

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 8.1

EPSS 0.3967

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (50)

fasterxml/jackson-databind < 2.9.10.8

debian/debian_linux

netapp/service_level_manager

oracle/agile_plm

oracle/application_testing_suite

oracle/autovue

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_extensibility_workbench

oracle/banking_extensibility_workbench

oracle/banking_extensibility_workbench

... and 35 more

Timeline

Published Dec 27, 2020

Tracked Since Feb 18, 2026