Login Sign Up

CVE-2020-14195

8.1 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in FasterXML jackson-databind allows remote code execution through deserialization of untrusted data. Attackers can exploit the interaction between serialization gadgets and typing features to execute arbitrary code. Systems using jackson-databind 2.x with default polymorphic typing enabled are affected.

💻 Affected Systems

Products:
  • FasterXML jackson-databind
  • Applications using jackson-databind for JSON processing
Versions: 2.x before 2.9.10.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires polymorphic typing to be enabled (defaultObjectMapper.enableDefaultTyping() or similar). Applications using default configurations with untrusted JSON input are vulnerable.

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Agile Plm by Oracle

View all CVEs affecting Agile Plm →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Banking Digital Experience by Oracle

View all CVEs affecting Banking Digital Experience →

Communications Calendar Server by Oracle

View all CVEs affecting Communications Calendar Server →

Communications Contacts Server by Oracle

View all CVEs affecting Communications Contacts Server →

Communications Diameter Signaling Router by Oracle

View all CVEs affecting Communications Diameter Signaling Router →

Communications Element Manager by Oracle

View all CVEs affecting Communications Element Manager →

Communications Evolved Communications Application Server by Oracle

View all CVEs affecting Communications Evolved Communications Application Server →

Communications Instant Messaging Server by Oracle

View all CVEs affecting Communications Instant Messaging Server →

Communications Session Report Manager by Oracle

View all CVEs affecting Communications Session Report Manager →

Communications Session Route Manager by Oracle

View all CVEs affecting Communications Session Route Manager →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Jackson Databind by Fasterxml

View all CVEs affecting Jackson Databind →

Steelstore Cloud Integrated Storage by Netapp

View all CVEs affecting Steelstore Cloud Integrated Storage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the application process, potentially allowing data exfiltration or service disruption.

🟢

If Mitigated

Denial of service or limited information disclosure if proper input validation and deserialization controls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires the application to deserialize untrusted JSON with polymorphic typing enabled. The JndiRealmFactory gadget chain is specifically targeted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10.5 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2765

Restart Required: Yes

Instructions:

1. Update jackson-databind dependency to version 2.9.10.5 or later. 2. Update Maven/Gradle configuration to use patched version. 3. Restart affected applications. 4. Verify no older vulnerable versions remain in dependency tree.

🔧 Temporary Workarounds

Disable polymorphic typing

all

Disable default typing features if not required for application functionality

Remove calls to enableDefaultTyping() from ObjectMapper configuration

Block JndiRealmFactory class

all

Add JndiRealmFactory to the list of blocked deserialization classes

ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); mapper.addMixIn(Object.class, MyMixInForIgnoreType.class);

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all JSON inputs
  • Use network segmentation to isolate vulnerable systems and limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check pom.xml or build.gradle for jackson-databind version <2.9.10.5. Run: mvn dependency:tree | grep jackson-databind or gradle dependencies | grep jackson-databind

Check Version:

mvn dependency:tree | grep jackson-databind

Verify Fix Applied:

Verify jackson-databind version is 2.9.10.5 or higher in dependency tree. Test application with known malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual deserialization errors
  • JNDI lookup attempts in logs
  • Unexpected class loading

Network Indicators:

  • Unexpected outbound LDAP connections from application servers
  • Suspicious JSON payloads containing type information

SIEM Query:

source="application.log" AND ("JndiRealmFactory" OR "enableDefaultTyping" OR "Jackson deserialization")

📊 Metadata

CVE ID: CVE-2020-14195
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: June 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14195, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)