High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36184

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles interaction between serialization gadgets and typing, allowing remote code execution via org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Overview

CVE-2020-36184 is a remote code execution vulnerability in FasterXML jackson-databind, affecting versions 2.x prior to 2.9.10.8. The root cause is the mishandling of the interaction between serialization gadgets and typing, specifically involving the class org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource [1][2]. This is part of a broader class of gadget chain vulnerabilities that have been addressed in the jackson-databind project over time [4].

Exploitation

To exploit this vulnerability, an attacker must have the ability to submit a crafted JSON payload to an application that uses jackson-databind with default or permissive typing enabled. The attacker needs to know the target class and have the necessary gadget classes (from Apache Tomcat DBCP) available on the classpath. No authentication is required if the endpoint is publicly accessible. The attack works by deserializing a maliciously crafted JSON that triggers the gadget chain through PerUserPoolDataSource, leading to arbitrary code execution [3].

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on the affected server, potentially leading to full system compromise. The vulnerability is rated with a CVSS score of 8.1 (High) via the NVD, reflecting the high potential impact and relatively low attack complexity [2]. Given that jackson-databind is widely used in enterprise Java applications, this vulnerability poses a significant risk.

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.10.8 and later. Users should upgrade immediately to a patched version. The fix, as shown in the commit, adds PerUserPoolDataSource and related classes to the block list of known dangerous types [4]. Disabling default typing is also a recommended hardening measure. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest update.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.0.0, < 2.9.10.8	2.9.10.8

Affected products

FasterXML/jackson-databinddescription
ghsa-coords
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Range: >= 2.0.0, < 2.9.10.8

Patches

e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>

7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>

567194c53ae9

Fixed #2998

https://github.com/FasterXML/jackson-databindTatu SalorantaDec 26, 2020via ghsa

commit

2 files changed · +7 −0

release-notes/VERSION-2.x+2 −0 modified

@@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Al1ex@knownsec)
 #2997: Block 2 more gadget types (tomcat/naming-factory-dbcp)
  (reported by Al1ex@knownsec)
+#2998: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp)
+ (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 −0 modified

@@ -221,6 +221,11 @@ public class SubTypeValidator
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
 
+        // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+        // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
+        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m6x4-97wx-4q27ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36184ghsaADVISORY
cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448aghsaWEB
github.com/FasterXML/jackson-databind/issues/2998ghsax_refsource_MISCWEB
lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000