High severityNVD Advisory· Published Apr 7, 2020· Updated Aug 4, 2024

CVE-2020-11620

Description

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-11620 describes a deserialization vulnerability in FasterXML jackson-databind before 2.9.10.4 that allows remote code execution when combined with the commons-jelly gadget.

Vulnerability

Analysis

CVE-2020-11620 is a deserialization vulnerability in FasterXML jackson-databind versions 2.x prior to 2.9.10.4. The issue arises from improper handling of the interaction between serialization gadgets and typing, specifically involving the org.apache.commons.jelly.impl.Embedded class from the commons-jelly library. When default typing is enabled, an attacker can leverage this gadget to achieve remote code execution [1][2].

Exploitation

Prerequisites

Exploitation requires that the Jackson application has enabled default typing (e.g., via ObjectMapper.enableDefaultTyping()) and that the commons-jelly library is present on the classpath. The attack vector is network-based and does not require authentication, making it exploitable remotely [2][4].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the target system. This poses critical risks to confidentiality, integrity, and availability, as the attacker gains full control over the affected Java application [2][3].

Mitigation

FasterXML patched this vulnerability in jackson-databind version 2.9.10.4. Users should upgrade to this version or later. As a workaround, disabling default typing or restricting the allowed subtypes can reduce the attack surface. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) [2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.9.0, < 2.9.10.4	2.9.10.4

Affected products

FasterXML/jackson-databinddescription
osv-coords3 versions
pkg:apk/chainguard/hive pkg:apk/chainguard/hive-compat pkg:maven/com.fasterxml.jackson.core/jackson-databind
< 4.0.1-r1+ 2 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: >= 2.9.0, < 2.9.10.4

Patches

08fbfacf89a4

fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

https://github.com/FasterXML/jackson-databindqxoSep 22, 2020via ghsa

commit

1 file changed · +78 −11

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+78 −11 modified

@@ -48,6 +48,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
 
 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
@@ -73,24 +76,26 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
-        // [databind#2186]: yet more 3rd party gadgets
+        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
         s.add("org.jboss.util.propertyeditor.DocumentEditor");
         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
-        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");   
-        
-        // [databind#2326] (2.7.9.6): one more 3rd party gadget
+        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+        // [databind#2326] (2.9.9)
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
-        // [databind#2334]: logback-core
+        // [databind#2334]: logback-core (2.9.9.1)
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2341]: jdom/jdom2
+        // [databind#2341]: jdom/jdom2 (2.9.9.1)
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
 
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
@@ -107,8 +112,10 @@ public class SubTypeValidator
         s.add("org.apache.commons.configuration.JNDIConfiguration");
         s.add("org.apache.commons.configuration2.JNDIConfiguration");
 
-        // [databind#2469]: xalan2
+        // [databind#2469]: xalan
         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+        // [databind#2704]: xalan2
+        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
@@ -129,15 +136,75 @@ public class SubTypeValidator
         // [databind#2631]: shaded hikari-config
         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
 
-        // [databind#2634]: ibatis-sqlmap, anteros-core
+        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+        // [databind#2814]: anteros-dbcp
+        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
 
-        // [databind#2642]: javax.swing (jdk)
+        // [databind#2642][databind#2854]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
+        s.add("javax.swing.JTextPane");
 
-        // [databind#2648]: shire-core
+        // [databind#2648], [databind#2653]: shire-core
         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+        s.add("org.apache.shiro.jndi.JndiObjectFactory");
+
+        // [databind#2658]: ignite-jta (, quartz-core)
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+        s.add("org.quartz.utils.JNDIConnectionProvider");
+
+        // [databind#2659]: aries.transaction.jms
+        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
+
+        // [databind#2660]: caucho-quercus
+        s.add("com.caucho.config.types.ResourceRef");
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
+
+        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
+        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
+        s.add("org.apache.activemq.pool.PooledConnectionFactory");
+        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
+        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
+        
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
+        // [databind#2688]: apache/drill
+        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+        // [databind#2698]: weblogic w/ oracle/aq-jms
+        // (note: dependency not available via Maven Central, but as part of
+        // weblogic installation, possibly fairly old version(s))
+        s.add("oracle.jms.AQjmsQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
+        s.add("oracle.jms.AQjmsTopicConnectionFactory");
+        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXAConnectionFactory");
+
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
+        // [databind#2826], [databind#2827]
+        s.add("com.nqadmin.rowset.JdbcRowSetImpl");
+        s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

77040d85e3eb

Fix #2682

https://github.com/FasterXML/jackson-databindTatu SalorantaApr 7, 2020via ghsa

commit

2 files changed · +4 −0

release-notes/VERSION-2.x+1 −0 modified

@@ -29,6 +29,7 @@ Project: jackson-databind
 #2670: Block one more gadget type (openjpa, CVE-2020-11113)
  (reported by XuYuanzhen)
 #2680: Block one more gadget type (spring-aop)
+#2680: Block one more gadget type (commons-jelly)
 
 2.9.10.3 (23-Feb-2020)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+3 −0 modified

@@ -177,6 +177,9 @@ public class SubTypeValidator
         // [databind#2666]: apache/commons-jms
         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
 
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h4rc-386g-6m85ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-11620ghsaADVISORY
github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88ghsaWEB
github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22ghsaWEB
github.com/FasterXML/jackson-databind/issues/2682ghsax_refsource_MISCWEB
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2020/04/msg00012.htmlghsamailing-listx_refsource_MLISTWEB
medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitrex_refsource_MISC
medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
security.netapp.com/advisory/ntap-20200511-0004ghsaWEB
security.netapp.com/advisory/ntap-20200511-0004/mitrex_refsource_CONFIRM
www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000