CVE-2020-35491
Deserialization Vulnerability vulnerability in jackson-databind (Maven)
What is CVE-2020-35491 About?
FasterXML `jackson-databind` 2.x before 2.9.10.8 has a deserialization vulnerability related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`. An attacker can exploit this to achieve arbitrary code execution by crafting malicious serialized data. Exploitation is relatively easy if an attacker can control data deserialized by the application.
Affected Software
Technical Details
The vulnerability in FasterXML jackson-databind (versions 2.x before 2.9.10.8) is a deserialization flaw mirroring other jackson-databind issues. It arises from the mishandling of interactions between serialization gadgets and typing, specifically involving the org.apache.commons.dbcp2.datasources.SharedPoolDataSource class. When jackson-databind is configured to allow polymorphic deserialization (e.g., using enableDefaultTyping or @JsonTypeInfo), an attacker can supply a malicious JSON payload. This payload references the SharedPoolDataSource gadget, which, upon deserialization, can trigger arbitrary code execution by leveraging its methods to load and execute untrusted code or commands during the object construction phase.
What is the Impact of CVE-2020-35491?
Successful exploitation may allow attackers to achieve remote code execution, leading to full compromise of the affected system, data breach, and denial of service.
What is the Exploitability of CVE-2020-35491?
Exploitation complexity is moderate to low, provided the attacker can supply specially crafted JSON data to an application that deserializes it using jackson-databind. No authentication or specific privileges are required if the input channel is publicly accessible. This is typically a remote attack. The primary prerequisite is that the application uses a vulnerable jackson-databind version and is configured to allow polymorphic deserialization on untrusted input. The presence of the org.apache.commons.dbcp2 library on the classpath acts as the 'gadget' necessary for the RCE payload. Risk factors include APIs that accept JSON payloads from untrusted sources, message queues, or persistent storage where malicious data might reside.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-35491?
About the Fix from Resolved Security
The patch adds two Apache DBCP2 datasource classes to a denylist of types that cannot be deserialized by Jackson, preventing their instantiation via untrusted data. This addresses CVE-2020-35491 by blocking a deserialization vector that attackers could exploit to execute arbitrary code or gain unauthorized database access.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.9.10.8 → Upgrade to 2.9.10.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20210122-0005/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://osv.dev/vulnerability/GHSA-r3gr-cxrf-hg25
- https://nvd.nist.gov/vuln/detail/CVE-2020-35491
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-35491?
Similar Vulnerabilities: CVE-2020-36180 , CVE-2020-35728 , CVE-2020-35729 , CVE-2020-35730 , CVE-2020-35731
