CVE-2020-10650
Description
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deserialization vulnerability in jackson-databind before 2.9.10.5 allows unauthenticated remote code execution via ignite-jta or quartz-core gadgets.
Vulnerability
Description
CVE-2020-10650 is a deserialization flaw in FasterXML jackson-databind through version 2.9.10.4. The root cause is the unsafe deserialization of polymorphic types, which can be exploited when the application enables default typing or uses @JsonTypeInfo with JsonTypeInfo.Id.CLASS or JsonTypeInfo.Id.MINIMAL_CLASS. This allows an attacker to instantiate arbitrary classes from the classpath, leading to remote code execution [2].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a crafted JSON payload that references specific gadget classes from the ignite-jta or quartz-core libraries. The identified gadget chains are org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider [3]. No authentication is required, and the attack can be performed over the network if the application deserializes untrusted JSON data.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the application process. This can lead to full compromise of the affected system, including data theft, service disruption, or lateral movement within the network [2].
Mitigation
The vulnerability is fixed in jackson-databind version 2.9.10.5 and later. Users should upgrade to a patched version immediately. For those unable to upgrade, backports have been made available for older branches, including 2.6.x, as demonstrated in pull request #2864 [4]. Additionally, disabling default typing or restricting allowed deserialization classes can serve as a workaround.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | < 2.9.10.4 | 2.9.10.4 |
Affected products
2- jackton-databind/jackson-databinddescription
Patches
1a424c038ba0cFix #2658
2 files changed · +6 −0
release-notes/VERSION-2.x+1 −0 modified@@ -14,6 +14,7 @@ Project: jackson-databind (reported by threedr3am) #2648: Block one more gadget type (shiro-core) #2653: Block one more gadget type (shiro-core) +#2658: Block one more gadget type (ignite-jta) 2.9.10.3 (23-Feb-2020)
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 −0 modified@@ -142,6 +142,11 @@ public class SubTypeValidator s.add("org.apache.shiro.realm.jndi.JndiRealmFactory"); s.add("org.apache.shiro.jndi.JndiObjectFactory"); + // [databind#2658]: ignite-jta (, quartz-core) + s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup"); + s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory"); + s.add("org.quartz.utils.JNDIConnectionProvider"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-rpr3-cw39-3pxhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10650ghsaADVISORY
- github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0efghsaWEB
- github.com/FasterXML/jackson-databind/issues/2658ghsaWEB
- github.com/FasterXML/jackson-databind/pull/2864ghsaWEB
- github.com/luisgarciacheckmarx/LGV_onefile/issues/19ghsaWEB
- lists.debian.org/debian-lts-announce/2023/04/msg00032.htmlghsaWEB
- medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
- security.netapp.com/advisory/ntap-20230818-0007ghsaWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpuoct2022.htmlghsaWEB
- medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitre
- security.netapp.com/advisory/ntap-20230818-0007/mitre
News mentions
0No linked articles in our index yet.