CVE-2020-10673: Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2020-10673 About?

This vulnerability in FasterXML jackson-databind allows for deserialization of untrusted data, specifically related to the 'com.caucho.config.types.ResourceRef' gadget. This can lead to arbitrary code execution or denial of service by an attacker. Exploitation requires the attacker to control serialized input, making it moderately easy to exploit if such input is accepted.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.4
- >2.0.0, <2.6.7.4

Technical Details

FasterXML jackson-databind versions 2.x before 2.9.10.4 and 2.6.7.4 are vulnerable due to improper handling of the interaction between serialization gadgets and typing, specifically referencing 'com.caucho.config.types.ResourceRef' (aka caucho-quercus). When Jackson-databind is configured to enable polymorphic type handling, attackers can leverage this gadget by providing specially crafted JSON input. This input includes a type designator that points to the `ResourceRef` class, along with malicious parameters that exploit its underlying deserialization logic. Upon deserialization, the `ResourceRef` class, often used for loading resources, can be tricked into loading and executing arbitrary code or performing other harmful actions, leading to remote code execution (RCE) or denial of service (DoS) in the application processing the malicious payload.

What is the Impact of CVE-2020-10673?

Successful exploitation may allow attackers to execute arbitrary code, achieve denial of service, or leak sensitive information, depending on the capabilities exposed by the deserialized gadget.

What is the Exploitability of CVE-2020-10673?

Exploitation is of moderate complexity, primarily requiring the ability to provide controlled serialized data (e.g., JSON) to an application that uses vulnerable versions of jackson-databind with polymorphic type handling enabled. There are no direct authentication or privilege requirements for the exploitation itself, beyond what is needed to send the malicious payload to the application. This is typically a remote exploit scenario, where an attacker sends crafted input over a network. The primary special constraint is that the 'com.caucho.config.types.ResourceRef' (or caucho-quercus) library must be present in the application's classpath for the specific gadget to be exploitable. The widespread use of Jackson-databind and the potential for exposed deserialization endpoints increase the likelihood of exploitation.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Al1ex	Link	CVE-2020-10673:jackson-databind RCE
harry1080	Link	CVE-2020-10673

What are the Available Fixes for CVE-2020-10673?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds additional class names to the blacklist in SubTypeValidator, preventing their deserialization. This mitigates CVE-2020-10673 by blocking certain dangerous classes that could otherwise be exploited to achieve remote code execution via malicious polymorphic type handling in Jackson databind.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.4 → Upgrade to 2.6.7.4
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.4 → Upgrade to 2.9.10.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-10673?

Similar Vulnerabilities: CVE-2020-14061 , CVE-2020-10672 , CVE-2019-12384 , CVE-2019-14540 , CVE-2019-14439

CVE-2020-10673 Serialization Gadgets vulnerability in com.fasterxml.jackson.core:jackson-databind