CVE-2020-8840

CRITICAL

FasterXML Jackson-Databind <2.9.10.2 - RCE

Title source: llm

Description

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Exploits (9)

nomisec WORKING POC 73 stars
by jas502n · poc
https://github.com/jas502n/jackson-CVE-2020-8840
nomisec WORKING POC 37 stars
by fairyming · poc
https://github.com/fairyming/CVE-2020-8840
nomisec WORKING POC 16 stars
by Wfzsec · poc
https://github.com/Wfzsec/FastJson1.2.62-RCE
github WORKING POC 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/jackson-CVE-2020-8840
nomisec WORKING POC 4 stars
by Veraxy00 · poc
https://github.com/Veraxy00/CVE-2020-8840
nomisec WORKING POC 1 stars
by dpredrag · poc
https://github.com/dpredrag/CVE-2020-8840
nomisec WORKING POC 1 stars
by Blyth0He · poc
https://github.com/Blyth0He/CVE-2020-8840
nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-8840-jackson-databind-vulnerable
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-8840-jackson-databind-vulnerable

References (44)

... and 24 more

Scores

CVSS v3 9.8
EPSS 0.0816
EPSS Percentile 92.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (12)
com.fasterxml.jackson.core/jackson-databind 2.0.0 - 2.6.7.4Maven
debian/debian_linux 8.0
fasterxml/jackson-databind 2.0.0 - 2.7.9.7
huawei/oceanstor_9000_firmware v300r006c20
huawei/oceanstor_9000_firmware v300r006c20spc100
huawei/oceanstor_9000_firmware v300r006c20spc200
huawei/oceanstor_9000_firmware v300r006c20spc300
netapp/oncommand_api_services
netapp/oncommand_workflow_automation
netapp/service_level_manager
... and 2 more
Published Feb 10, 2020
Tracked Since Feb 18, 2026