CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name	Vendor	Start Version	End Version
Jackson-databind	Fasterxml	2.0.0 (including)	2.9.10.6 (excluding)
Jackson-databind	Ubuntu	bionic	*
Jackson-databind	Ubuntu	focal	*
Jackson-databind	Ubuntu	groovy	*
Jackson-databind	Ubuntu	hirsute	*
Jackson-databind	Ubuntu	impish	*
Jackson-databind	Ubuntu	kinetic	*
Jackson-databind	Ubuntu	lunar	*
Jackson-databind	Ubuntu	mantic	*
Jackson-databind	Ubuntu	oracular	*
Jackson-databind	Ubuntu	trusty	*
Jackson-databind	Ubuntu	trusty/esm	*
Jackson-databind	Ubuntu	xenial	*

Potential Mitigations

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

https://cwe.mitre.org/data/definitions/586.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-24616
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data

Weakness

Affected Software

Potential Mitigations

References

CVE-2020-24616

Deserialization of Untrusted Data

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References