CVE-2020-36187
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles serialization gadgets and typing, allowing remote code execution via the org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource class.
Vulnerability
Analysis
CVE-2020-36187 is a deserialization vulnerability in FasterXML jackson-databind versions prior to 2.9.10.8. The root cause is improper handling of the interaction between serialization gadgets and polymorphic type validation (enabled via enableDefaultTyping()). When ObjectMapper has default typing enabled and the classpath contains certain libraries, attackers can leverage known gadget chains to achieve remote code execution. In this specific case, the vulnerable gadget class is org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource from the Tomcat DBCP library [1][2].
Exploitation
Details
Exploitation requires the attacker to provide a crafted JSON payload that triggers deserialization of malicious objects. The attacker must identify a service that uses jackson-databind with default typing enabled and has tomcat-dbcp (specifically version 1.x of commons-dbcp embedded within Tomcat) on the classpath. The vulnerable class SharedPoolDataSource is blocked in the fix commit by adding it to the DEFAULT_NO_DESER_CLASS_NAMES set [4]. This vulnerability is related to similar issues CVE-2020-36186 (the other gadget in the same commit) and earlier CVEs like CVE-2020-35490 and CVE-2020-35491 [3][4].
Impact
Assessment
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code on the affected system. The CVSS v3.1 base score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [2]. This means the vulnerability can be exploited over the network with low complexity, no privileges required, and no user interaction, resulting in complete compromise of confidentiality, integrity, and availability.
Mitigation
The vulnerability is fixed in jackson-databind version 2.9.10.8 and later. Users should upgrade to at least this version. As a defense-in-depth measure, users are also advised to avoid enabling default typing in production unless absolutely necessary [2][3]. The fix commit specifically blocks the org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource class from being deserialized [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 |
Affected products
2- FasterXML/jackson-databinddescription
Patches
3e19c557b7891[maven-release-plugin] prepare release jackson-databind-2.6.7.5
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -10,7 +10,7 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>2.6.7.5-SNAPSHOT</version> + <version>2.6.7.5</version> <name>jackson-databind</name> <packaging>bundle</packaging> <description>General data-binding functionality for Jackson: works on core streaming API</description> @@ -21,7 +21,7 @@ <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection> <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection> <url>http://github.com/FasterXML/jackson-databind</url> - <tag>HEAD</tag> + <tag>jackson-databind-2.6.7.5</tag> </scm> <properties>
7ae9214c0670[maven-release-plugin] prepare release jackson-databind-2.9.10.8
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -10,7 +10,7 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>2.9.10.8-SNAPSHOT</version> + <version>2.9.10.8</version> <name>jackson-databind</name> <packaging>bundle</packaging> <description>General data-binding functionality for Jackson: works on core streaming API</description> @@ -21,7 +21,7 @@ <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection> <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection> <url>http://github.com/FasterXML/jackson-databind</url> - <tag>HEAD</tag> + <tag>jackson-databind-2.9.10.8</tag> </scm> <properties>
3e8fa3beea49Fixed #2997
2 files changed · +8 −1
release-notes/VERSION-2.x+3 −1 modified@@ -8,7 +8,9 @@ Project: jackson-databind #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491) (reported by Al1ex@knownsec) -#2996: Block 2 more gadget types (placeholder) +#2996: Block 2 more gadget types (newrelic-agent) + (reported by Al1ex@knownsec) +#2997: Block 2 more gadget types (tomcat/naming-factory-dbcp) (reported by Al1ex@knownsec) 2.9.10.7 (02-Dec-2020)
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 −0 modified@@ -216,6 +216,11 @@ public class SubTypeValidator s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource"); s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource"); + // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-r695-7vr9-jgc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36187ghsaADVISORY
- cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1ghsaWEB
- github.com/FasterXML/jackson-databind/issues/2997ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.