CVE-2020-36181: Deserialization vulnerability in jackson-databind (Maven)

What is CVE-2020-36181 About?

This vulnerability in FasterXML jackson-databind affects versions 2.x before 2.9.10.8 and 2.6.7.5, stemming from improper handling of serialization gadgets and typing related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`. This flaw allows attackers to achieve remote code execution by exploiting insecure deserialization. Exploitation typically involves sending specially crafted serialized data.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5
- >2.7.0, <2.9.10.8

Technical Details

The vulnerability in FasterXML jackson-databind exists due to an unsafe deserialization process, specifically when handling the org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS class used as a gadget. Jackson-databind, in certain configurations, allows for polymorphic deserialization (i.e., deserializing an object without knowing its exact type beforehand, often guided by a type identifier within the serialized data). An attacker can leverage this by providing a crafted JSON payload that specifies DriverAdapterCPDS as the target type and injects malicious properties. When Jackson-databind attempts to deserialize this object, it calls methods on the DriverAdapterCPDS object, which in turn can execute arbitrary code (e.g., by loading a malicious JDBC driver via its setDriver method or similar reflective calls during object construction). This occurs because the library does not adequately restrict which classes can be deserialized or which methods can be invoked during deserialization, making it vulnerable to gadget-chain attacks.

What is the Impact of CVE-2020-36181?

Successful exploitation may allow attackers to achieve arbitrary code execution on the server, leading to full system compromise, data exfiltration, or denial of service.

What is the Exploitability of CVE-2020-36181?

Exploitation usually involves sending specially crafted serialized data to an application endpoint that uses the vulnerable Jackson-databind library for deserialization. The complexity is moderate, requiring knowledge of the application's deserialization points and possibly specific classpaths for gadget chains. No authentication is required if the deserialization endpoint is publicly accessible. This is a remote attack. Prerequisites include the presence of the org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS class on the classpath and a vulnerable version of Jackson-databind. The risk of exploitation is heightened when applications accept untrusted serialized input from external sources.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2020-36181?

A Fix by Resolved Security Exists!

Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

The patch blocks additional dangerous classes from being deserialized by adding them to the denylist in SubTypeValidator, preventing exploitation of gadget chains that can be abused for remote code execution. This addresses CVE-2020-36181 by closing bypass vectors that allowed attackers to use newly identified or shaded class variants for malicious deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.5 → Upgrade to 2.6.7.5
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.8 → Upgrade to 2.9.10.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-36181?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-8840

CVE-2020-36181 Deserialization vulnerability in jackson-databind (Maven)