CVE-2020-10969
Deserialization Gadget vulnerability in jackson-databind (Maven)
What is CVE-2020-10969 About?
This vulnerability in FasterXML jackson-databind 2.x before 2.9.10.4 is a deserialization gadget issue related to `javax.swing.JEditorPane`. It mishandles the interaction between serialization gadgets and typing, which can lead to various impacts, potentially including remote code execution. Exploitation typically requires control over the input being deserialized and enabling of polymorphic typing.
Affected Software
Technical Details
FasterXML jackson-databind versions 2.x prior to 2.9.10.4 contain a deserialization gadget vulnerability involving javax.swing.JEditorPane. When Default Typing is enabled, allowing a deserializer to instantiate arbitrary classes based on type information in a JSON payload, an attacker can craft a malicious JSON input. This input leverages the JEditorPane class as a serialization gadget. The specific mishandling occurs during the deserialization process where the interaction between how JEditorPane is processed and the enabled typing mechanism creates an exploitable condition. This could lead to the execution of attacker-controlled code or other detrimental effects if a suitable gadget chain can be formed using methods within JEditorPane or classes it interacts with during deserialization.
What is the Impact of CVE-2020-10969?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, achieve denial of service, or leak sensitive information.
What is the Exploitability of CVE-2020-10969?
Exploitation prerequisites include enabling polymorphic typing in Jackson-databind and the javax.swing.JEditorPane class being present in the classpath. The complexity is moderate, as it requires crafting specific JSON input to trigger the gadget chain. No authentication or specific privileges are required on the application itself if an endpoint deserializes untrusted data. This is typically a remote attack. The primary constraint is the attacker's ability to supply the crafted JSON and the existence of the specific class on the server. The vulnerability is more likely to be exploited in applications that process external JSON input with default or broad polymorphic typing configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10969?
About the Fix from Resolved Security
The patch adds "javax.swing.JEditorPane" to a blacklist of classes that Jackson's deserialization mechanism will reject, preventing attackers from abusing this class for remote code execution via crafted JSON input. This mitigates CVE-2020-10969 by blocking deserialization of a class vulnerable to exploitation, reducing the attack surface for gadget-based exploits.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.10.4 → Upgrade to 2.9.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://osv.dev/vulnerability/GHSA-758m-v56v-grj4
- https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-10969
- https://github.com/FasterXML/jackson-databind/issues/2642
What are Similar Vulnerabilities to CVE-2020-10969?
Similar Vulnerabilities: CVE-2019-16943 , CVE-2019-14439 , CVE-2019-12814 , CVE-2019-14540 , CVE-2017-7525
