vulnerability

Ubuntu: (CVE-2020-35728): jackson-databind vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:M/Au:N/C:P/I:P/A:P)	Dec 27, 2020	Jun 26, 2025	Aug 18, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

Dec 27, 2020

Added

Jun 26, 2025

Modified

Aug 18, 2025

Description

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Solution

no-fix-ubuntu-package

References

CVE-2020-35728
https://attackerkb.com/topics/CVE-2020-35728
CWE-502
URL-https://github.com/FasterXML/jackson-databind/issues/2999
URL-https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
URL-https://www.cve.org/CVERecord?id=CVE-2020-35728

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today