FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.9.0 (fixed in 2.9.10.4)

Related CVEs

CVE-2020-10968

Key Information

GHSA ID

GHSA-rf6r-2c4q-2vwg

Published

May 15, 2020 6:58 PM

Last Modified

March 15, 2024 12:50 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.fasterxml.jackson.core:jackson-databind

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 10, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.