September 21, 2020

CVE-2020-24616: Jackson Deserialization Security Vulnerabilities Alert

1 min read
On August 25, 2020, Jackson-databind issued a risk notice for Jackson-databind serialization vulnerability, the vulnerability number is CVE-2020-24616, vulnerability level is a high risk, vulnerability score is 7.5.
There is a new deserialization exploit chain in library, which can bypass Jackson-databind blacklist restrictions. Remote attackers can cause remote codes by sending specially crafted request packets to the web service interface that uses this component.

Vulnerability Detail

FasterXML Jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to (aka Anteros-DBCP).

Affected version

  • fasterxml:jackson-databind: <

Unaffected version

  • fasterxml:jackson-databind:
In this version, the following exploit chains are also fixed
  • org.arrahtec:profiler-core
  • com.nqadmin.rowset:jdbcrowsetimpl
  • com.pastdev.httpcomponents:configuration


In this regard, we recommend that users upgrade Jackson-databind to the latest version in time.