High severity8.1NVD Advisory· Published Apr 7, 2020· Updated Apr 29, 2026

CVE-2020-11619

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.9.0, < 2.9.10.4	2.9.10.4

Affected products

Fasterxml/Jackson Databind
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Range: >=2.0.0,<2.9.10.4
NetApp/Active Iq Unified Manager3 versions
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*+ 2 more
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*range: >=7.3
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*range: >=9.5
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*range: >=7.3
NetApp/Steelstore Cloud Integrated Storage
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Oracle Corporation/Agile Plm
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
Oracle Corporation/Banking Platform
cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
Range: >=2.4.0,<=2.9.0
Oracle Corporation/Communications Calendar Server
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
Oracle Corporation/Communications Contacts Server2 versions
cpe:2.3:a:oracle:communications_contacts_server:8.0.0.4.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:communications_contacts_server:8.0.0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*
Oracle Corporation/Communications Diameter Signaling Router
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Range: >=8.0.0,<=8.2.2
Oracle Corporation/Communications Evolved Communications Application Server
cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
Oracle Corporation/Communications Instant Messaging Server
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
Oracle Corporation/Communications Network Charging And Control2 versions
cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*range: >=12.0.0,<=12.0.3
- cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
Oracle Corporation/Enterprise Manager Base Platform2 versions
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
Oracle Corporation/Global Lifecycle Management Opatch
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
Range: <12.2.0.1.20
Oracle Corporation/Jd Edwards Enterpriseone Orchestrator
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*
Range: <9.2.4.2
Oracle Corporation/Jd Edwards Enterpriseone Tools
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Range: <9.2.4.2
Oracle Corporation/Primavera Unifier5 versions
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*range: >=17.7,<=17.12
- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
Oracle Corporation/Retail Merchandising System
cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
Oracle Corporation/Retail Sales Audit
cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
Oracle Corporation/Retail Xstore Point Of Service5 versions
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
Oracle Corporation/Weblogic Server2 versions
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

1d919062ec35

[maven-release-plugin] prepare release jackson-databind-2.9.10.4

https://github.com/FasterXML/jackson-databindTatu SalorantaApr 11, 2020via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.4-SNAPSHOT</version>
+  <version>2.9.10.4</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.4</tag>
   </scm>
 
   <properties>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/FasterXML/jackson-databind/issues/2680nvdIssue TrackingPatchThird Party AdvisoryWEB
github.com/advisories/GHSA-27xj-rqx5-2255ghsaADVISORY
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3EnvdThird Party AdvisoryWEB
lists.debian.org/debian-lts-announce/2020/04/msg00012.htmlnvdMailing ListThird Party AdvisoryWEB
medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2020-11619ghsaADVISORY
security.netapp.com/advisory/ntap-20200511-0004/nvdThird Party Advisory
www.oracle.com/security-alerts/cpujan2021.htmlnvdThird Party AdvisoryWEB
www.oracle.com/security-alerts/cpujul2020.htmlnvdThird Party AdvisoryWEB
www.oracle.com/security-alerts/cpuoct2020.htmlnvdThird Party AdvisoryWEB
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3EghsaWEB
medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
security.netapp.com/advisory/ntap-20200511-0004ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000