VYPR
← All advisories
High severityNVD Advisory· Published Mar 26, 2020· Updated Aug 4, 2024

CVE-2020-10968

CVE-2020-10968

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.10.4 allows remote code execution via the bus-proxy gadget when default typing is enabled.

CVE-2020-10968 is a critical vulnerability in FasterXML jackson-databind affecting versions 2.x prior to 2.9.10.4. The issue arises from mishandled interaction between serialization gadgets and polymorphic typing, specifically involving the org.aoju.bus.proxy.provider.remoting.RmiProvider class (from the bus-proxy library). When default typing is enabled or @JsonTypeInfo is used, an attacker can craft malicious JSON input that triggers deserialization of dangerous gadget chains, leading to arbitrary code execution [2][4].

Exploitation requires that the Jackson application have default typing enabled (e.g., via ObjectMapper.enableDefaultTyping()) or use @JsonTypeInfo annotations that allow polymorphic deserialization. The attacker must be able to send specially crafted JSON data to the application. No authentication is typically needed if the deserialization endpoint is exposed [2]. Successful exploitation can result in full remote code execution on the server, as the bus-proxy gadget facilitates RMI-based attacks [4].

The vendor addressed this vulnerability in version 2.9.10.4, released in March 2020. The fix includes adding org.aoju.bus.proxy.provider.remoting.RmiProvider to the blacklist of unsafe types in SubTypeValidator [3]. Users are strongly advised to upgrade to the latest patched version or disable default typing if not required. This vulnerability is part of a broader class of Jackson gadget chain issues, and continuous monitoring for new gadget classes is recommended [1][2].

References
  1. GitHub - FasterXML/jackson-databind: General data-binding package for Jackson: works on streaming API (core) implementation(s)
  2. NVD - CVE-2020-10968
  3. fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2… · FasterXML/jackson-databind@08fbfac
  4. Block one more gadget type (bus-proxy, CVE-2020-10968)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.9.0, < 2.9.10.42.9.10.4

Affected products

4

Patches

2
08fbfacf89a4

fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

https://github.com/FasterXML/jackson-databindqxoSep 22, 2020via ghsa
commit
1 file changed · +78 11
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+78 11 modified
    @@ -48,6 +48,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
 
 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
@@ -73,24 +76,26 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
-        // [databind#2186]: yet more 3rd party gadgets
+        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
         s.add("org.jboss.util.propertyeditor.DocumentEditor");
         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
-        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");   
-        
-        // [databind#2326] (2.7.9.6): one more 3rd party gadget
+        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+        // [databind#2326] (2.9.9)
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
-        // [databind#2334]: logback-core
+        // [databind#2334]: logback-core (2.9.9.1)
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2341]: jdom/jdom2
+        // [databind#2341]: jdom/jdom2 (2.9.9.1)
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
 
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
@@ -107,8 +112,10 @@ public class SubTypeValidator
         s.add("org.apache.commons.configuration.JNDIConfiguration");
         s.add("org.apache.commons.configuration2.JNDIConfiguration");
 
-        // [databind#2469]: xalan2
+        // [databind#2469]: xalan
         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+        // [databind#2704]: xalan2
+        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
@@ -129,15 +136,75 @@ public class SubTypeValidator
         // [databind#2631]: shaded hikari-config
         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
 
-        // [databind#2634]: ibatis-sqlmap, anteros-core
+        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+        // [databind#2814]: anteros-dbcp
+        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
 
-        // [databind#2642]: javax.swing (jdk)
+        // [databind#2642][databind#2854]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
+        s.add("javax.swing.JTextPane");
 
-        // [databind#2648]: shire-core
+        // [databind#2648], [databind#2653]: shire-core
         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+        s.add("org.apache.shiro.jndi.JndiObjectFactory");
+
+        // [databind#2658]: ignite-jta (, quartz-core)
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+        s.add("org.quartz.utils.JNDIConnectionProvider");
+
+        // [databind#2659]: aries.transaction.jms
+        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
+
+        // [databind#2660]: caucho-quercus
+        s.add("com.caucho.config.types.ResourceRef");
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
+
+        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
+        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
+        s.add("org.apache.activemq.pool.PooledConnectionFactory");
+        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
+        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
+        
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
+        // [databind#2688]: apache/drill
+        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+        // [databind#2698]: weblogic w/ oracle/aq-jms
+        // (note: dependency not available via Maven Central, but as part of
+        // weblogic installation, possibly fairly old version(s))
+        s.add("oracle.jms.AQjmsQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
+        s.add("oracle.jms.AQjmsTopicConnectionFactory");
+        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXAConnectionFactory");
+
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
+        // [databind#2826], [databind#2827]
+        s.add("com.nqadmin.rowset.JdbcRowSetImpl");
+        s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
05d7e0e13f43

Fix #2662, #2664, #2666

https://github.com/FasterXML/jackson-databindTatu SalorantaMar 25, 2020via ghsa
commit
2 files changed · +17 1
  • release-notes/VERSION-2.x+6 0 modified
    @@ -20,6 +20,12 @@ Project: jackson-databind
  (reported by Srikanth Ramu)
 #2660: Block one more gadget type (caucho-quercus, CVE-2020-10673)
  (reported by threedr3am'follower)
+#2662: Block one more gadget type (bus-proxy)
+ (reported by XuYuanzhen)
+#2664: Block one more gadget type (activemq)
+ (reported by Srikanth Ramu)
+#2666: Block one more gadget type (apache/commons-proxy)
+ (reported by Yiting Fan)
 
 2.9.10.3 (23-Feb-2020)
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+11 1 modified
    @@ -153,7 +153,17 @@ public class SubTypeValidator
 
         // [databind#2660]: caucho-quercus
         s.add("com.caucho.config.types.ResourceRef");
-        
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-jms
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory");
+
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.