VYPR
← All advisories
High severityNVD Advisory· Published Jan 6, 2021· Updated Aug 4, 2024

CVE-2020-36188

CVE-2020-36188

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.10.8 allows remote code execution via a crafted gadget chain using New Relic Agent's embedded Logback JNDIConnectionSource.

Vulnerability

Overview

CVE-2020-36188 is a deserialization vulnerability in FasterXML jackson-databind versions prior to 2.9.10.8. The issue arises when default typing is enabled, allowing the deserialization of arbitrary classes. The specific gadget class com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource can be used to trigger JNDI injection, leading to remote code execution [2][3]. This is a derivative of previously blocked gadget chains (e.g., CVE-2020-35490) [4].

Exploitation

Exploitation requires that the application enables default typing (e.g., via @JsonTypeInfo or ObjectMapper.enableDefaultTyping()) and has the New Relic Agent library (which includes an embedded Logback) on the classpath. An attacker can craft a JSON payload that, when deserialized, instantiates the JNDIConnectionSource class. This class performs a JNDI lookup to an attacker-controlled server, enabling remote code execution [2][3]. No authentication is required if the deserialization endpoint is exposed.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the Java application. The vulnerability has a CVSS v3.1 base score of 8.1 (High) [2]. It affects all jackson-databind versions from 2.0 up to but not including 2.9.10.8.

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.10.8, which adds the gadget class to the default deny list [4]. Users should upgrade to the latest version or, if default typing is not required, disable it. As of this writing, the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2020-36188
  2. Block 2 more gadget types (newrelic-agent, CVE-2020-36188/CVE-2020-36189)
  3. Fixed #2996 · FasterXML/jackson-databind@33d96c1

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.7.0, < 2.9.10.82.9.10.8
com.fasterxml.jackson.core:jackson-databindMaven
>= 2.0.0, < 2.6.7.52.6.7.5

Affected products

2

Patches

3
e19c557b7891

[maven-release-plugin] prepare release jackson-databind-2.6.7.5

https://github.com/FasterXML/jackson-databindTatu SalorantaJun 22, 2021via osv
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.7.5-SNAPSHOT</version>
+  <version>2.6.7.5</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.6.7.5</tag>
   </scm>
 
   <properties>
7ae9214c0670

[maven-release-plugin] prepare release jackson-databind-2.9.10.8

https://github.com/FasterXML/jackson-databindTatu SalorantaJan 6, 2021via osv
commit
1 file changed · +2 2
  • pom.xml+2 2 modified
    @@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10.8-SNAPSHOT</version>
+  <version>2.9.10.8</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>HEAD</tag>
+    <tag>jackson-databind-2.9.10.8</tag>
   </scm>
 
   <properties>
33d96c13fe18

Fixed #2996

https://github.com/FasterXML/jackson-databindTatu SalorantaDec 26, 2020via ghsa
commit
2 files changed · +7 0
  • release-notes/VERSION-2.x+2 0 modified
    @@ -8,6 +8,8 @@ Project: jackson-databind
 
 #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491)
  (reported by Al1ex@knownsec)
+#2996: Block 2 more gadget types (placeholder)
+ (reported by Al1ex@knownsec)
 
 2.9.10.7 (02-Dec-2020)
  • src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 0 modified
    @@ -211,6 +211,11 @@ public class SubTypeValidator
         s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
 
+        // [databind#2996]: newrelic-agent + embedded-logback-core
+        // (derivative of #2334 and #2389)
+        s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
+        s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.