CVE-2020-36188
HIGHjackson-databind 2.0.0-2.9.10.7 - Deserialization of Untrusted Data via JNDIConnectionSource
Title source: llmExploitation Summary
EIP tracks 3 public exploits for CVE-2020-36188. PoCs published by Al1ex, dawetmaster, andikahilmy.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-36188, demonstrating RCE via Jackson deserialization with a JNDI gadget chain. The PoC includes all necessary components (Java code, dependencies, and setup instructions) to trigger the vulnerability.
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Exploits (3)
This repository contains a functional exploit for CVE-2020-36188, demonstrating RCE via Jackson deserialization with a JNDI gadget chain. The PoC includes all necessary components (Java code, dependencies, and setup instructions) to trigger the vulnerability.
This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2020-36188, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.
This repository contains a functional exploit PoC for CVE-2020-36188, a deserialization vulnerability in Jackson Databind. The code includes vulnerable versions of Jackson Databind components and demonstrates the exploit through Java-based deserialization attacks.
References (10)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H