CVE-2021-20190

HIGH

jackson-databind < 2.9.10.7 - Deserialization of Untrusted Data

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-20190. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2021-20190, a deserialization vulnerability. The code includes the full Jackson Databind source with the vulnerable components, allowing for exploitation testing.

Description

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2021-20190-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2021-20190, a deserialization vulnerability. The code includes the full Jackson Databind source with the vulnerable components, allowing for exploitation testing.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Java environment · vulnerable Jackson Databind version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2021-20190-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2021-20190, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Vulnerable version of Jackson Databind (2.9.0) · Ability to send crafted JSON payloads to an application using Jackson Databind

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/FasterXML/jackson-databind/issues/2854

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1916633

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20210219-0008/

Scores

CVSS v3 8.1

EPSS 0.0050

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (9)

apache/nifi 1.7.0 - 1.12.1

com.fasterxml.jackson.core/jackson-databind 2.7.0 - 2.9.10.7Maven

debian/debian_linux 9.0

fasterxml/jackson-databind < 2.6.7.5

netapp/active_iq_unified_manager (2 CPE variants)

netapp/oncommand_api_services

netapp/oncommand_insight

netapp/service_level_manager

oracle/commerce_guided_search_and_experience_manager 11.3.2

Published Jan 19, 2021

Tracked Since Feb 18, 2026