FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.7.0 (fixed in 2.9.10.8)

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.0.0 (fixed in 2.6.7.5)

Related CVEs

CVE-2020-36180

Key Information

GHSA ID

GHSA-8c4j-34r4-xr8g

Published

December 9, 2021 7:16 PM

Last Modified

September 14, 2023 4:13 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.fasterxml.jackson.core:jackson-databind

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 10, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.