CVE-2020-24616
Description
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind before 2.9.10.6 allows remote code execution via unsafe deserialization due to incomplete gadget blocking for AnterosDBCPDataSource.
CVE-2020-24616: Jackson Databind Unsafe Deserialization via Anteros-DBCP
CVE-2020-24616 is a remote code execution (RCE) vulnerability in FasterXML jackson-databind versions 2.x before 2.9.10.6. The issue arises from the library's handling of polymorphic type deserialization when enableDefaultTyping() is used. The vulnerability is related to the interaction between serialization gadgets and typing, specifically involving the br.com.anteros.dbcp.AnterosDBCPDataSource class from the Anteros-DBCP library [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious JSON payload that, when deserialized by a Jackson object mapper with default typing enabled, triggers the instantiation of an AnterosDBCPDataSource object. This object's constructor or setter methods can be leveraged to execute arbitrary commands, similar to other known Jackson gadget chains. The attack requires no authentication if the endpoint is exposed, but relies on the presence of the Anteros-DBCP library on the classpath [3].
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, leading to full system compromise. The vulnerability was assigned a CVSS score of 8.1 (High) due to the potential for RCE without user interaction [2].
Mitigation
The fix was implemented in jackson-databind version 2.9.10.6 by adding br.com.anteros.dbcp.AnterosDBCPDataSource to the block list in SubTypeValidator [4]. Users should upgrade to this version or later, or disable default typing if possible. No workaround exists other than upgrading or removing the vulnerable class from the classpath.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.9.10.6 | 2.9.10.6 |
Affected products
2- FasterXML/jackson-databinddescription
Patches
13d97153944f7Add a block for #2814
2 files changed · +6 −2
release-notes/VERSION-2.x+3 −1 modified@@ -6,8 +6,10 @@ Project: jackson-databind 2.9.10.6 (not yet released) -#2798: Block one more gadget type (xxx, xxx) +#2798: Block one more gadget type (xxx, CVE-xxxx-xxx) (reported by Al1ex@knownsec) +#2814: Block one more gadget type (xxx, CVE-xxxx-xxx) + (reported by ChenZhaojun) 2.9.10.5 (21-Jun-2020)
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+3 −1 modified@@ -137,9 +137,11 @@ public class SubTypeValidator // [databind#2631]: shaded hikari-config s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig"); - // [databind#2634]: ibatis-sqlmap, anteros-core + // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"); s.add("br.com.anteros.dbcp.AnterosDBCPConfig"); + // [databind#2814]: anteros-dbcp + s.add("br.com.anteros.dbcp.AnterosDBCPDataSource"); // [databind#2642]: javax.swing (jdk) s.add("javax.swing.JEditorPane");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-h3cw-g4mq-c5x2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24616ghsaADVISORY
- github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7ghsaWEB
- github.com/FasterXML/jackson-databind/issues/2814ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
- medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitrex_refsource_MISC
- medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
- security.netapp.com/advisory/ntap-20200904-0006ghsaWEB
- security.netapp.com/advisory/ntap-20200904-0006/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.