High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36182

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jackson-databind before 2.9.10.8 allows remote code execution via deserialization of a malicious org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS object.

Vulnerability

Overview FasterXML jackson-databind versions prior to 2.9.10.8 do not properly block the class org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS in the SubTypeValidator blocklist, allowing its use as a deserialization gadget [3]. This extends previous fixes for similar DBCP-related gadget classes.

Exploitation

An attacker can exploit this by sending a crafted JSON or other serialized data that, when deserialized with default typing enabled, instantiates the DriverAdapterCPDS class, which can then trigger a remote code execution through its JDBC connection properties [4]. No authentication is required if the application exposes deserialization endpoints.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server or perform other malicious actions, depending on the gadget chain used. This vulnerability is part of a series of similar issues affecting Jackson-databind's gadget blocking mechanism [3].

Mitigation

Users should upgrade to jackson-databind version 2.9.10.8 or later, which includes this class in the blocklist. For environments that cannot upgrade, disabling polymorphic typing is recommended, though this may not be feasible for all applications [3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.7.0, < 2.9.10.8	2.9.10.8
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.0.0, < 2.6.7.5	2.6.7.5

Affected products

FasterXML/jackson-databinddescription
ghsa-coords
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Range: >= 2.7.0, < 2.9.10.8

Patches

e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>

7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>

3ded28aece69

Fixed #3004

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 1, 2021via ghsa

commit

2 files changed · +16 −7

release-notes/VERSION-2.x+2 −0 modified

@@ -17,6 +17,8 @@ Project: jackson-databind
 #2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
  (reported by bu5yer of Sangfor FarSight Security Lab)
 #3003: Block one more gadget type (xxx, CVE to be allocated)
+#3004: Block one more DBCP-related potential gadget class
+ (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+14 −7 modified

@@ -118,9 +118,12 @@ public class SubTypeValidator
         // [databind#2704]: xalan2
         s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
-        // [databind#2478]: comons-dbcp, p6spy
+        // [databind#2478]: commons-dbcp 1.x, p6spy
+        // [databind#3004]: commons-dbcp 1.x
+        s.add("org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+
         s.add("com.p6spy.engine.spy.P6DataSource");
 
         // [databind#2498]: log4j-extras (1.2)
@@ -185,8 +188,9 @@ public class SubTypeValidator
         // [databind#2682]: commons-jelly
         s.add("org.apache.commons.jelly.impl.Embedded");
 
-        // [databind#2688]: apache/drill
+        // [databind#2688], [databind#3004]: apache/drill
         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+        s.add("oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
         s.add("oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource");
 
@@ -209,32 +213,35 @@ public class SubTypeValidator
         s.add("com.nqadmin.rowset.JdbcRowSetImpl");
         s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
-        // [databind#2986]: dbcp2
+        // [databind#2986], [databind#3004]: dbcp2
         s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
+        s.add("org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS");
 
         // [databind#2996]: newrelic-agent + embedded-logback-core
         // (derivative of #2334 and #2389)
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
+        // [databind#2997]/[databind#3004]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
         // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
 
-        // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+        // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
         // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
 
         // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
         // (derivative of #2469)
         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
 
-        // [databind#303]: another case of embedded Xalan (derivative of #2469)
+        // [databind#3003]: another case of embedded Xalan (derivative of #2469)
         s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
-
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-89qr-369f-5m5xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36182ghsaADVISORY
cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656bghsaWEB
github.com/FasterXML/jackson-databind/issues/3004ghsax_refsource_MISCWEB
lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000