What is CVE-2020-36179?

CVE-2020-36179 is a vulnerability in N/a. Published 2021-01-06.

Is CVE-2020-36179 known to be exploited?

20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

EPSS: 0.619 (98.4th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-kno… (x_refsource_MISC)
github.com/FasterXML/jackson-databind/issues/3004 (x_refsource_MISC)
[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4 (mailing-list, x_refsource_MLIST)
[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)
security.netapp.com/advisory/ntap-20210205-0005/ (x_refsource_CONFIRM)
www.oracle.com//security-alerts/cpujul2021.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpujan2022.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpuapr2022.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-36179?: CVE-2020-36179 is a vulnerability in N/a. Published 2021-01-06.
Is CVE-2020-36179 known to be exploited?: 20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.