CVE Vulnerabilities

CVE-2020-10650

Deserialization of Untrusted Data

Published: Dec 26, 2022 | Modified: Aug 19, 2025
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name Vendor Start Version End Version
Debian_linux Debian 10.0 (including) 10.0 (including)
Jackson-databind Ubuntu bionic *
Jackson-databind Ubuntu focal *
Jackson-databind Ubuntu kinetic *
Jackson-databind Ubuntu lunar *
Jackson-databind Ubuntu mantic *
Jackson-databind Ubuntu oracular *
Jackson-databind Ubuntu trusty *
Jackson-databind Ubuntu trusty/esm *
Jackson-databind Ubuntu xenial *

Potential Mitigations

  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

References