CVE-2020-11619

high

Published 2020-04-07 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.1

Description

jackson-databind mishandles the interaction between serialization gadgets and typing

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Debian Mixed 6 releases

Version	Status	Fixed in
trixie	Fixed	`2.11.1-1`
sid	Fixed	`2.11.1-1`
forky	Fixed	`2.11.1-1`
bullseye	Fixed	`2.11.1-1`
bookworm	Fixed	`2.11.1-1`
8.0	Affected	—

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	com.fasterxml.jackson.core:jackson-databind	`>=2.9.0,<2.9.10.4`	`2.9.10.4`
MAVEN	com.fasterxml.jackson.core:jackson-databind	`>= 2.9.0, <= 2.9.10.3`	`2.9.10.4`

Application impact

Vendor	Product	Versions	Fixed
fasterxml	jackson-databind	`{"startIncluding":"2.0.0","endExcluding":"2.9.10.4"}`	`2.9.10.4`
netapp	active_iq_unified_manager	`{"startIncluding":"7.3"}`
netapp	steelstore_cloud_integrated_storage	`-`
oracle	agile_plm	`9.3.6`
oracle	banking_platform	`{"startIncluding":"2.4.0","endIncluding":"2.9.0"}`
oracle	communications_calendar_server	`8.0.0.4.0`
oracle	communications_contacts_server	`8.0.0.4.0`
oracle	communications_contacts_server	`8.0.0.5.0`
oracle	communications_diameter_signaling_router	`{"startIncluding":"8.0.0","endIncluding":"8.2.2"}`
oracle	communications_evolved_communications_application_server	`7.1`
oracle	communications_instant_messaging_server	`10.0.1.4.0`
oracle	communications_network_charging_and_control	`{"startIncluding":"12.0.0","endIncluding":"12.0.3"}`
oracle	communications_network_charging_and_control	`6.0.1`
oracle	enterprise_manager_base_platform	`13.3.0.0`
oracle	enterprise_manager_base_platform	`13.4.0.0`
oracle	global_lifecycle_management_opatch	`{"endExcluding":"12.2.0.1.20"}`	`12.2.0.1.20`
oracle	jd_edwards_enterpriseone_orchestrator	`{"endExcluding":"9.2.4.2"}`	`9.2.4.2`
oracle	jd_edwards_enterpriseone_tools	`{"endExcluding":"9.2.4.2"}`	`9.2.4.2`
oracle	primavera_unifier	`{"startIncluding":"17.7","endIncluding":"17.12"}`
oracle	primavera_unifier	`16.1`
oracle	primavera_unifier	`16.2`
oracle	primavera_unifier	`18.8`
oracle	primavera_unifier	`19.12`
oracle	retail_merchandising_system	`15.0`
oracle	retail_sales_audit	`14.1`
oracle	retail_xstore_point_of_service	`15.0`
oracle	retail_xstore_point_of_service	`16.0`
oracle	retail_xstore_point_of_service	`17.0`
oracle	retail_xstore_point_of_service	`18.0`
oracle	retail_xstore_point_of_service	`19.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.