VYPR
← All advisories
High severityNVD Advisory· Published Mar 18, 2020· Updated Aug 4, 2024

CVE-2020-10672

CVE-2020-10672

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.10.4 allows remote code execution via a crafted gadget from aries.transaction.jms when default typing is enabled.

Vulnerability

Overview CVE-2020-10672 is an unsafe deserialization vulnerability in FasterXML jackson-databind versions prior to 2.9.10.4. The issue stems from improper handling of the interaction between serialization gadgets and typing, specifically allowing the class org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (from the aries.transaction.jms library) to be used as a gadget [2][4]. When default typing is enabled or @JsonTypeInfo is used, an attacker can supply a malicious JSON payload that instantiates this class, leading to remote code execution.

Exploitation

To exploit this vulnerability, the attacker must have the ability to send crafted JSON data to an application that uses jackson-databind with default typing enabled (or a similar configuration that allows polymorphic type resolution). No authentication is required if the input is untrusted [2]. The attacker then includes the aries.transaction.jms gadget in the JSON, which triggers a chain of operations culminating in arbitrary code execution [3].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the target system with the privileges of the application process. This can lead to full compromise of the application and potentially the underlying server, including data theft, malware installation, or lateral movement within the network [2].

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.10.4 and later. Users should upgrade immediately to this version or newer [3]. As a general best practice, avoid enabling default typing unless absolutely necessary, and consider using a custom type validator to restrict allowed classes [4]. The fix adds org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory to the block list of known dangerous types [3].

References
  1. NVD - CVE-2020-10672
  2. fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2… · FasterXML/jackson-databind@08fbfac
  3. Block one more gadget type (aries.transaction.jms, CVE-2020-10672)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.9.0, < 2.9.10.42.9.10.4

Affected products

4

Patches

2
08fbfacf89a4

fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

https://github.com/FasterXML/jackson-databindqxoSep 22, 2020via ghsa
commit
1 file changed · +78 11
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+78 11 modified
    @@ -48,6 +48,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
 
 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
@@ -73,24 +76,26 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
-        // [databind#2186]: yet more 3rd party gadgets
+        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
         s.add("org.jboss.util.propertyeditor.DocumentEditor");
         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
-        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");   
-        
-        // [databind#2326] (2.7.9.6): one more 3rd party gadget
+        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+        // [databind#2326] (2.9.9)
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
-        // [databind#2334]: logback-core
+        // [databind#2334]: logback-core (2.9.9.1)
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2341]: jdom/jdom2
+        // [databind#2341]: jdom/jdom2 (2.9.9.1)
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
 
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
@@ -107,8 +112,10 @@ public class SubTypeValidator
         s.add("org.apache.commons.configuration.JNDIConfiguration");
         s.add("org.apache.commons.configuration2.JNDIConfiguration");
 
-        // [databind#2469]: xalan2
+        // [databind#2469]: xalan
         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+        // [databind#2704]: xalan2
+        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
@@ -129,15 +136,75 @@ public class SubTypeValidator
         // [databind#2631]: shaded hikari-config
         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
 
-        // [databind#2634]: ibatis-sqlmap, anteros-core
+        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+        // [databind#2814]: anteros-dbcp
+        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
 
-        // [databind#2642]: javax.swing (jdk)
+        // [databind#2642][databind#2854]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
+        s.add("javax.swing.JTextPane");
 
-        // [databind#2648]: shire-core
+        // [databind#2648], [databind#2653]: shire-core
         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+        s.add("org.apache.shiro.jndi.JndiObjectFactory");
+
+        // [databind#2658]: ignite-jta (, quartz-core)
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+        s.add("org.quartz.utils.JNDIConnectionProvider");
+
+        // [databind#2659]: aries.transaction.jms
+        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
+
+        // [databind#2660]: caucho-quercus
+        s.add("com.caucho.config.types.ResourceRef");
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
+
+        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
+        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
+        s.add("org.apache.activemq.pool.PooledConnectionFactory");
+        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
+        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
+        
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
+        // [databind#2688]: apache/drill
+        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+        // [databind#2698]: weblogic w/ oracle/aq-jms
+        // (note: dependency not available via Maven Central, but as part of
+        // weblogic installation, possibly fairly old version(s))
+        s.add("oracle.jms.AQjmsQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
+        s.add("oracle.jms.AQjmsTopicConnectionFactory");
+        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXAConnectionFactory");
+
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
+        // [databind#2826], [databind#2827]
+        s.add("com.nqadmin.rowset.JdbcRowSetImpl");
+        s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
592872f4235c

Fix #2659

https://github.com/FasterXML/jackson-databindTatu SalorantaMar 16, 2020via ghsa
commit
2 files changed · +5 0
  • release-notes/VERSION-2.x+2 0 modified
    @@ -15,6 +15,8 @@ Project: jackson-databind
 #2648: Block one more gadget type (shiro-core)
 #2653: Block one more gadget type (shiro-core)
 #2658: Block one more gadget type (ignite-jta)
+#2659: Block one more gadget type (aries.transaction.jms)
+ (reported by Srikanth Ramu)
 
 2.9.10.3 (23-Feb-2020)
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+3 0 modified
    @@ -147,6 +147,9 @@ public class SubTypeValidator
         s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
         s.add("org.quartz.utils.JNDIConnectionProvider");
 
+        // [databind#2659]: aries.transaction.jms
+        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.