CVE-2019-20330: Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-20330 About?

This vulnerability affects FasterXML jackson-databind versions before 2.6.7.4, 2.7.9.7, 2.8.11.5, and 2.9.10.2, due to incomplete blocking of `net.sf.ehcache` classes. It is a deserialization flaw that can lead to remote code execution. Exploitation requires knowledge of gadget chains and the ability to send malicious serialized data.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.4
- >2.8.0, <2.8.11.5
- >2.7.0, <2.7.9.7
- >2.9.0, <2.9.10.2

Technical Details

The FasterXML jackson-databind library, in specified versions, fails to adequately block certain `net.sf.ehcache` classes from being deserialized. This represents a bypass in its existing polymorphic typing protection mechanisms. An attacker can craft a malicious JSON payload that, when processed by a vulnerable `jackson-databind` instance, leverages an `ehcache` class as a deserialization gadget. This gadget's methods or constructors are then invoked, potentially leading to arbitrary code execution within the context of the application. The attack vector relies on the application taking untrusted serialized data as input.

What is the Impact of CVE-2019-20330?

Successful exploitation may allow attackers to execute arbitrary code, bypass security controls, or cause a denial of service on the affected system.

What is the Exploitability of CVE-2019-20330?

Exploitation of this `jackson-databind` deserialization vulnerability is of moderate complexity. It requires an attacker to be able to supply malicious serialized data (typically JSON) to an application that uses a vulnerable `jackson-databind` version. The presence of the `net.sf.ehcache` library on the application's classpath is a prerequisite, as it provides the 'gadget' necessary for code execution. Authentication is generally not required if the deserialization endpoint is exposed externally. This is a remote attack, and success depends on the attacker's ability to identify and leverage a suitable deserialization gadget chain. The likelihood of exploitation increases when applications process untrusted inputs without proper serialization filtering.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2019-20330?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch updates the SubTypeValidator to block deserialization of two additional Ehcache-related classes by adding them to the blacklist, preventing them from being used in polymorphic deserialization. This mitigates the risk of remote code execution via gadgets, addressing CVE-2019-20330 by preventing attackers from exploiting insecure deserialization paths.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.4 → Upgrade to 2.6.7.4
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.7 → Upgrade to 2.7.9.7
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.5 → Upgrade to 2.8.11.5
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.2 → Upgrade to 2.9.10.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-20330?

Similar Vulnerabilities: CVE-2020-11111 , CVE-2020-10968 , CVE-2020-11620 , CVE-2019-14540 , CVE-2017-7525

CVE-2019-20330 Polymorphic Typing vulnerability in com.fasterxml.jackson.core:jackson-databind