VYPR
← All advisories
High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36185

CVE-2020-36185

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.10.8 allows remote code execution via unsafe deserialization when using default typing, exploiting the tomcat-dbcp SharedPoolDataSource gadget.

CVE-2020-36185 is a deserialization vulnerability in FasterXML jackson-databind versions prior to 2.9.10.8. The root cause is the library's mishandling of the interaction between serialization gadgets and typing, specifically failing to block the class org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource from the tomcat-dbcp library. This class can be used as a gadget in a deserialization chain, similar to previously reported issues (CVE-2020-36184) [3].

Exploitation requires that Jackson's default typing mechanism is enabled (e.g., via @JsonTypeInfo or ObjectMapper.enableDefaultTyping()). An attacker can craft a malicious JSON payload that, when deserialized by a vulnerable application, triggers the gadget chain to execute arbitrary code. No authentication is needed if the deserialization endpoint is exposed to untrusted input [3][4].

Successful exploitation leads to remote code execution in the context of the Java application, potentially allowing an attacker to take full control of the affected system. The vulnerability is particularly dangerous because jackson-databind is widely used in enterprise Java applications for JSON processing.

The issue is fixed in jackson-databind version 2.9.10.8, which adds the SharedPoolDataSource class (along with PerUserPoolDataSource) to the default block list of dangerous types [4]. Users should upgrade immediately. As a workaround, disable default typing if it is not required for the application's functionality.

References
  1. Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp, CVE-2020-36184/CVE-2020-36185)
  2. Fixed #2998 · FasterXML/jackson-databind@567194c

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.0.0, < 2.9.10.82.9.10.8

Affected products

2

Patches

3
e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>
7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>
567194c53ae9

Fixed #2998

https://github.com/FasterXML/jackson-databindTatu SalorantaDec 26, 2020via ghsa
commit
2 files changed · +7 0
  • release-notes/VERSION-2.x+2 0 modified
    @@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Al1ex@knownsec)
 #2997: Block 2 more gadget types (tomcat/naming-factory-dbcp)
  (reported by Al1ex@knownsec)
+#2998: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp)
+ (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 0 modified
    @@ -221,6 +221,11 @@ public class SubTypeValidator
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
 
+        // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
+        // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
+        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.