FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.7.0 (fixed in 2.9.10.8)

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.0.0 (fixed in 2.6.7.5)

Related CVEs

CVE-2020-36182

Key Information

GHSA ID

GHSA-89qr-369f-5m5x

Published

December 9, 2021 7:15 PM

Last Modified

September 14, 2023 4:08 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.fasterxml.jackson.core:jackson-databind

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.