CVE-2020-36180
HIGHNetapp Cloud Backup < 21.1.2 - Insecure Deserialization
Title source: ruleExploitation Summary
EIP tracks 3 public exploits for CVE-2020-36180. PoCs published by dawetmaster, andikahilmy, cuijiung.
AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2020-36180, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Exploits (3)
This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2020-36180, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.
This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2020-36180, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.
This PoC demonstrates a deserialization vulnerability in Jackson Databind (CVE-2020-36180) by exploiting polymorphic typing to trigger arbitrary JDBC connection strings, leading to RCE via H2 database script execution. The payload leverages `DriverAdapterCPDS` to fetch and execute a remote SQL script.
References (10)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H