CVE-2020-36181

HIGH

Netapp Service Level Manager < 21.1.2 - Insecure Deserialization

Title source: rule

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Exploits (2)

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2020-36181-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2020-36181-jackson-databind-vulnerable

View Code ZIP pw:eip

References (10)

[Exploit, Technical Description, Third Party Advisory] https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

[Issue Tracking, Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/3004

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210205-0005/

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 8.1

EPSS 0.0541

EPSS Percentile 90.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (50)

netapp/service_level_manager

debian/debian_linux

oracle/agile_plm

oracle/application_testing_suite

oracle/autovue_for_agile_product_lifecycle_management

oracle/banking_corporate_lending_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_extensibility_workbench

oracle/banking_supply_chain_finance

... and 35 more

Timeline

Published Jan 06, 2021

Tracked Since Feb 18, 2026