High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36186

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource, enabling remote code execution.

Vulnerability

Description

CVE-2020-36186 is a deserialization vulnerability in FasterXML jackson-databind 2.x prior to version 2.9.10.8. The root cause is the mishandling of the interaction between serialization gadgets and typing, specifically when the class org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (part of the Tomcat DBCP library) is allowed as a polymorphic type during deserialization. This gadget class can be used to construct a chain that ultimately leads to arbitrary code execution.

Exploitation

To exploit this vulnerability, an attacker must satisfy two primary conditions: the application must enable Jackson polymorphic type handling (often via @JsonTypeInfo or global ObjectMapper.enableDefaultTyping()), and the Tomcat DBCP library (specifically tomcat-dbcp containing the PerUserPoolDataSource class) must be on the classpath. The attacker then sends a crafted JSON payload that, when deserialized, triggers a series of method calls that execute arbitrary commands on the server. No authentication is required if the endpoint is publicly accessible [2][3].

Impact

Successful exploitation allows a remote, unauthenticated attacker to achieve remote code execution (RCE) on the affected application server. The impact is critical, as it can lead to full system compromise, data theft, or further lateral movement within the network. The vulnerability is rated with a CVSS score of 9.8 (Critical) [2].

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.10.8. Users should upgrade immediately to that version or later. The fix, implemented in commit 3e8fa3b, adds org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource and org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource to the default blacklist of dangerous classes, preventing them from being automatically deserialized [3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.0.0, < 2.9.10.8	2.9.10.8

Affected products

FasterXML/jackson-databinddescription
ghsa-coords
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Range: >= 2.0.0, < 2.9.10.8

Patches

e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>

7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv

commit

1 file changed · +2 −2

pom.xml+2 −2 modified

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>

3e8fa3beea49

Fixed #2997

https://github.com/FasterXML/jackson-databindTatu SalorantaDec 26, 2020via ghsa

commit

2 files changed · +8 −1

release-notes/VERSION-2.x+3 −1 modified

@@ -8,7 +8,9 @@ Project: jackson-databind
 
 #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491)
  (reported by Al1ex@knownsec)
-#2996: Block 2 more gadget types (placeholder)
+#2996: Block 2 more gadget types (newrelic-agent)
+ (reported by Al1ex@knownsec)
+#2997: Block 2 more gadget types (tomcat/naming-factory-dbcp)
  (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 −0 modified

@@ -216,6 +216,11 @@ public class SubTypeValidator
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
         s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
 
+        // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
+        // (derivative of #2478)
+        s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
+        s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v585-23hc-c647ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36186ghsaADVISORY
cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1ghsaWEB
github.com/FasterXML/jackson-databind/issues/2997ghsax_refsource_MISCWEB
lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000