CVE-2021-20190: serialization gadgets vulnerability in jackson-databind (Maven)

What is CVE-2021-20190 About?

This vulnerability in `jackson-databind` mishandles the interaction between serialization gadgets and typing, leading to potential data confidentiality, integrity, and system availability threats. Exploitation typically involves sending specially crafted serialized data and is of moderate to high complexity.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5
- >2.7.0, <2.9.10.7

Technical Details

The vulnerability in jackson-databind (before 2.9.10.7 and 2.6.7.5) arises from an insufficient handling of the interaction between serialization gadgets and typing mechanisms. jackson-databind is a popular library for JSON serialization and deserialization. Serialization gadgets refer to classes or methods that can be abused during the deserialization process to execute arbitrary code or perform unintended actions. When jackson-databind is configured for polymorphic type handling (e.g., using @JsonTypeInfo), it uses type information embedded in the JSON payload to instantiate specific classes. The flaw means that even with security mechanisms intended to block known malicious gadget classes, new gadgets or bypasses can emerge, or the existing ones are not fully covered. An attacker can craft a malicious JSON payload that, when deserialized, triggers the execution of arbitrary code or manipulation of data due to method calls on unexpected types or controlled parameters in specific vulnerable classes available in the application's classpath. This oversight allows an attacker to control flow and potentially impact confidentiality, integrity, and availability.

What is the Impact of CVE-2021-20190?

Successful exploitation may allow attackers to execute arbitrary code, manipulate sensitive data, or cause a denial of service, leading to significant compromise of the system.

What is the Exploitability of CVE-2021-20190?

Exploitation typically involves remote access, where an attacker sends a specially crafted, malicious JSON payload to an application endpoint that deserializes data using jackson-databind. No specific authentication or high privileges are typically required if the vulnerable deserialization occurs based on unauthenticated user input. The complexity is generally moderate to high, as it requires knowledge of the application's classpath to identify suitable gadget chains, and potentially bypassing existing deserialization filters. The exploitation likelihood is increased if the application widely uses jackson-databind for deserializing external, untrusted data, especially with polymorphic type handling enabled or insufficient gadget blocking configurations.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2021-20190?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch adds several dangerous classes (from Apache Ignite and Quartz) to the denylist in SubTypeValidator, preventing them from being deserialized. This addresses CVE-2021-20190 by blocking attackers from exploiting insecure deserialization that could lead to remote code execution via these classes.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5 → Upgrade to 2.6.7.5
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.9.10.7 → Upgrade to 2.9.10.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-20190?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2019-14540

CVE-2021-20190 serialization gadgets vulnerability in jackson-databind (Maven)