CVE-2020-36179

jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS

A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-01-06 CVE Published
2021-01-10 First Exploit
2023-11-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (14)

URL	Tag	Source
https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html	Mailing List
https://security.netapp.com/advisory/ntap-20210205-0005	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

URL	Date	SRC
https://github.com/Al1ex/CVE-2020-36179	2021-01-10
https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062	2024-08-04

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/issues/3004	2024-07-03
https://www.oracle.com//security-alerts/cpujul2021.html	2024-07-03
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-07-03
https://www.oracle.com/security-alerts/cpujan2022.html	2024-07-03
https://www.oracle.com/security-alerts/cpuoct2021.html	2024-07-03

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-36179	2021-05-06
https://bugzilla.redhat.com/show_bug.cgi?id=1913871	2021-05-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Service Level Manager Search vendor "Netapp" for product "Service Level Manager"				-		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Application Testing Suite Search vendor "Oracle" for product "Application Testing Suite"				13.3.0.1 Search vendor "Oracle" for product "Application Testing Suite" and version "13.3.0.1"		-		Affected
Oracle Search vendor "Oracle"		Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management"				21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.2 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.3 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.2 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.3 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.2 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.3 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.4"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform"				<= 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " <= 21.1.2"		-		Affected
Oracle Search vendor "Oracle"		Commerce Platform Search vendor "Oracle" for product "Commerce Platform"				>= 11.3.0 <= 11.3.2 Search vendor "Oracle" for product "Commerce Platform" and version " >= 11.3.0 <= 11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Commerce Platform Search vendor "Oracle" for product "Commerce Platform"				11.2.0 Search vendor "Oracle" for product "Commerce Platform" and version "11.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				7.5.0.23.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5.0.23.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Convergent Charging Controller Search vendor "Oracle" for product "Communications Convergent Charging Controller"				12.0.4.0.0 Search vendor "Oracle" for product "Communications Convergent Charging Controller" and version "12.0.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Route Search vendor "Oracle" for product "Communications Diameter Signaling Route"				>= 8.0.0.0 <= 8.5.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Route" and version " >= 8.0.0.0 <= 8.5.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				>= 8.2.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Element Manager" and version " >= 8.2.0.0 <= 8.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server"				7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Charging And Control Search vendor "Oracle" for product "Communications Network Charging And Control"				12.0.4.0.0 Search vendor "Oracle" for product "Communications Network Charging And Control" and version "12.0.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.3 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management"				12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center"				12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper"				7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				>= 8.0.0.0 <= 8.2.2.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0.0 <= 8.2.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.2.0 <= 8.2.2.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Data Integrator Search vendor "Oracle" for product "Data Integrator"				12.2.1.4.0 Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Goldengate Application Adapters Search vendor "Oracle" for product "Goldengate Application Adapters"				19.1.0.0.0 Search vendor "Oracle" for product "Goldengate Application Adapters" and version "19.1.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				>= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.1.0 <= 11.3.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.0.2"		-		Affected
Oracle Search vendor "Oracle"		Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette"				>= 11.1.0 <= 11.3.0 Search vendor "Oracle" for product "Insurance Rules Palette" and version " >= 11.1.0 <= 11.3.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Rules Palette Search vendor "Oracle" for product "Insurance Rules Palette"				11.0.2 Search vendor "Oracle" for product "Insurance Rules Palette" and version "11.0.2"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator"				< 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version " < 9.2.5.3"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				< 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.5.3"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.10 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.10"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				20.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "20.12.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation"				>= 16.0 <= 19.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version " >= 16.0 <= 19.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				15.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				14.1.3.2 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				15.0.3.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				16.0.3.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.0.0 < 2.6.7.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.5"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.7.0 < 2.9.10.8 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.9.10.8"		-		Affected