VYPR
← All advisories
High severityNVD Advisory· Published Mar 31, 2020· Updated Aug 4, 2024

CVE-2020-11111

CVE-2020-11111

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.10.4 allows remote code execution via unsafe deserialization using activemq gadgets.

Root

Cause CVE-2020-11111 is a remote code execution vulnerability in FasterXML jackson-databind 2.x prior to version 2.9.10.4 [1]. The flaw stems from improper handling of the interaction between serialization gadgets and the enableDefaultTyping() feature [2]. Specifically, the software fails to block a gadget chain involving classes from the org.apache.activemq package (activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms) [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious JSON payload that, when deserialized by an application using a vulnerable version of jackson-databind with default typing enabled, triggers the activemq gadget chain [2]. No authentication is required, and the attack can be delivered over the network. The vulnerability is part of a series of similar issues in jackson-databind arising from incomplete gadget blocking [3].

Impact

Successful exploitation allows an attacker to achieve remote code execution in the context of the application server [2]. This can lead to full system compromise, data theft, or further lateral movement within the network.

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.10.4 [2]. Users should upgrade immediately. If upgrading is not possible, administrators should disable enableDefaultTyping() or properly mask the activemq classes using a custom blocker [3]. The issue was tracked as GitHub issue #2664 in the jackson-databind repository [3].

References
  1. GitHub - FasterXML/jackson-databind: General data-binding package for Jackson: works on streaming API (core) implementation(s)
  2. NVD - CVE-2020-11111
  3. Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.9.0, < 2.9.10.42.9.10.4

Affected products

4

Patches

1
1d919062ec35

[maven-release-plugin] prepare release jackson-databind-2.9.10.4

https://github.com/FasterXML/jackson-databindTatu SalorantaApr 11, 2020via osv
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.4-SNAPSHOT</version>
+  <version>2.9.10.4</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.4</tag>
   </scm>
 
   <properties>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.