CVE-2020-36179
critical-risk
Published 2021-01-07
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Do I need to act?
!
60.3% chance of exploitation in next 30 days
EPSS score — higher than 40% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (20)
References (22)
Issue Tracking
https://github.com/FasterXML/jackson-databind/issues/3004
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0005/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Issue Tracking
https://github.com/FasterXML/jackson-databind/issues/3004
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0005/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
and 2 more references
70
/ 100
critical-risk
Severity
24/34 · High
Exploitability
19/34 · Moderate
Exposure
27/34 · High