Miggo Logo

CVE-2020-36189: Unsafe Deserialization in jackson-databind

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.85138%
Published
12/9/2021
Updated
9/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven>= 2.7.0, < 2.9.10.82.9.10.8
com.fasterxml.jackson.core:jackson-databindmaven< 2.6.7.52.6.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis is based on the patch that modifies the SubTypeValidator class in jackson-databind. The change involves adding specific classes to a set that is used to prevent their deserialization, indicating these classes are related to the vulnerability. The function _validateSubType is likely involved in this validation process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**st*rXML j**kson-**t**in* *.x ***or* *.*.**.* *n *.*.*.* mis**n*l*s t** int*r**tion **tw**n s*ri*liz*tion *****ts *n* typin*, r*l*t** to *om.n*wr*li*.***nt.**ps.**.qos.lo****k.*or*.**.*riv*rM*n***r*onn**tionSour**.

Reasoning

T** *n*lysis is **s** on t** p*t** t**t mo*i*i*s t** Su*Typ*V*li**tor *l*ss in j**kson-**t**in*. T** ***n** involv*s ***in* sp**i*i* *l*ss*s to * s*t t**t is us** to pr*v*nt t**ir **s*ri*liz*tion, in*i**tin* t**s* *l*ss*s *r* r*l*t** to t** vuln*r**i