CVE-2020-36189
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind before 2.9.10.8 allows remote code execution via a crafted payload using New Relic Agent's embedded logback DriverManagerConnectionSource gadget.
Vulnerability
Overview
CVE-2020-36189 is a deserialization vulnerability in FasterXML jackson-databind versions 2.x prior to 2.9.10.8. The flaw arises from improper handling of the interaction between serialization gadgets and default typing, specifically involving the class com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource from the New Relic Agent library [1][2]. This class, part of an embedded logback-core dependency, can be used as a gadget to achieve remote code execution when deserialized under certain conditions.
Exploitation
Conditions
To exploit this vulnerability, an attacker must be able to send a crafted JSON payload to an application that uses jackson-databind with default typing enabled (or a similar polymorphic type handling configuration) [3]. No authentication is required if the deserialization endpoint is publicly accessible. The attack is network-based and does not require any special privileges. The gadget class is automatically included in applications that use the New Relic Agent, making it a viable target for exploitation [4].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server, leading to full compromise of the application and potentially the underlying host. This is a critical severity vulnerability, as it can be triggered remotely without authentication. The issue is closely related to CVE-2020-36188, which involves another gadget class from the same library [3].
Mitigation
The vulnerability is fixed in jackson-databind version 2.9.10.8, which adds the DriverManagerConnectionSource class to the default deny list in SubTypeValidator [4]. Users should upgrade to this version or later. If upgrading is not immediately possible, disabling default typing or implementing a custom type validator can mitigate the risk. No workarounds are provided by the vendor beyond upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 |
com.fasterxml.jackson.core:jackson-databindMaven | < 2.6.7.5 | 2.6.7.5 |
Affected products
2- FasterXML/jackson-databinddescription
Patches
3e19c557b7891[maven-release-plugin] prepare release jackson-databind-2.6.7.5
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -10,7 +10,7 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>2.6.7.5-SNAPSHOT</version> + <version>2.6.7.5</version> <name>jackson-databind</name> <packaging>bundle</packaging> <description>General data-binding functionality for Jackson: works on core streaming API</description> @@ -21,7 +21,7 @@ <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection> <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection> <url>http://github.com/FasterXML/jackson-databind</url> - <tag>HEAD</tag> + <tag>jackson-databind-2.6.7.5</tag> </scm> <properties>
7ae9214c0670[maven-release-plugin] prepare release jackson-databind-2.9.10.8
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -10,7 +10,7 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>2.9.10.8-SNAPSHOT</version> + <version>2.9.10.8</version> <name>jackson-databind</name> <packaging>bundle</packaging> <description>General data-binding functionality for Jackson: works on core streaming API</description> @@ -21,7 +21,7 @@ <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection> <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection> <url>http://github.com/FasterXML/jackson-databind</url> - <tag>HEAD</tag> + <tag>jackson-databind-2.9.10.8</tag> </scm> <properties>
33d96c13fe18Fixed #2996
2 files changed · +7 −0
release-notes/VERSION-2.x+2 −0 modified@@ -8,6 +8,8 @@ Project: jackson-databind #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491) (reported by Al1ex@knownsec) +#2996: Block 2 more gadget types (placeholder) + (reported by Al1ex@knownsec) 2.9.10.7 (02-Dec-2020)
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+5 −0 modified@@ -211,6 +211,11 @@ public class SubTypeValidator s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + // [databind#2996]: newrelic-agent + embedded-logback-core + // (derivative of #2334 and #2389) + s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource"); + s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-vfqx-33qm-g869ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36189ghsaADVISORY
- cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4ghsaWEB
- github.com/FasterXML/jackson-databind/issues/2996ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210205-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210205-0005/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.