High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36179

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-36179 is a deserialization vulnerability in FasterXML jackson-databind allowing remote code execution via crafted JSON when default typing is enabled, using a gadget from Apache Commons DBCP.

Vulnerability

CVE-2020-36179 is a deserialization vulnerability in FasterXML jackson-databind versions before 2.9.10.8. The issue arises from mishandling the interaction between serialization gadgets and typing, specifically allowing the class oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS to be used as a gadget [2][3]. This class is part of the Apache Commons DBCP library and can be leveraged to execute arbitrary code when deserialized.

Exploitation

To exploit this vulnerability, an attacker needs to send a specially crafted JSON payload to an application that uses jackson-databind with default typing enabled. No authentication is required if the application accepts untrusted input. The gadget class can instantiate objects that perform actions such as establishing JDBC connections, leading to remote code execution [4].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the vulnerable application, potentially leading to full system compromise. The impact is severe, with a CVSS score of 9.8 (Critical) [2].

Mitigation

The vulnerability is patched in jackson-databind version 2.9.10.8. Users are strongly advised to upgrade to this version or later. If upgrading is not possible, disabling default typing (ObjectMapper.enableDefaultTyping()) can prevent exploitation, though it may affect application functionality. This CVE is part of a series of related DBCP gadget issues addressed in the same release [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.7.0, < 2.9.10.8	2.9.10.8
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.0.0, < 2.6.7.5	2.6.7.5

Affected products

FasterXML/jackson-databinddescription
ghsa-coords
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Range: >= 2.7.0, < 2.9.10.8

Patches

e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>

7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>

3ded28aece69

Fixed #3004

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 1, 2021via ghsa

commit

2 files changed · +16 −7

release-notes/VERSION-2.x+2 −0 modified

@@ -17,6 +17,8 @@ Project: jackson-databind
 #2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
  (reported by bu5yer of Sangfor FarSight Security Lab)
 #3003: Block one more gadget type (xxx, CVE to be allocated)
+#3004: Block one more DBCP-related potential gadget class
+ (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+14 −7 modified

@@ -118,9 +118,12 @@ public class SubTypeValidator
         // [databind#2704]: xalan2
         s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
-        // [databind#2478]: comons-dbcp, p6spy
+        // [databind#2478]: commons-dbcp 1.x, p6spy
+        // [databind#3004]: commons-dbcp 1.x
+        s.add("org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+
         s.add("com.p6spy.engine.spy.P6DataSource");
 
         // [databind#2498]: log4j-extras (1.2)
@@ -185,8 +188,9 @@ public class SubTypeValidator
         // [databind#2682]: commons-jelly
         s.add("org.apache.commons.jelly.impl.Embedded");
 
-        // [databind#2688]: apache/drill
+        // [databind#2688], [databind#3004]: apache/drill
         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+        s.add("oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
         s.add("oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource");
 
@@ -209,32 +213,35 @@ public class SubTypeValidator
         s.add("com.nqadmin.rowset.JdbcRowSetImpl");
         s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
-        // [databind#2986]: dbcp2
+        // [databind#2986], [databind#3004]: dbcp2
         s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
+        s.add("org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS");
 
         // [databind#2996]: newrelic-agent + embedded-logback-core
         // (derivative of #2334 and #2389)
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
+        // [databind#2997]/[databind#3004]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
         // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
 
-        // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+        // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
         // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
 
         // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
         // (derivative of #2469)
         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
 
-        // [databind#303]: another case of embedded Xalan (derivative of #2469)
+        // [databind#3003]: another case of embedded Xalan (derivative of #2469)
         s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
-
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9gph-22xh-8x98ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36179ghsaADVISORY
cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656bghsaWEB
github.com/FasterXML/jackson-databind/issues/3004ghsax_refsource_MISCWEB
lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.048
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000