CVE-2020-36183

high

Published 2021-01-07 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.1

Description

Unsafe Deserialization in jackson-databind

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Debian Mixed 6 releases

Version	Status	Fixed in
trixie	Fixed	`2.12.1-1`
sid	Fixed	`2.12.1-1`
forky	Fixed	`2.12.1-1`
bullseye	Fixed	`2.12.1-1`
bookworm	Fixed	`2.12.1-1`
9.0	Affected	—

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	com.fasterxml.jackson.core:jackson-databind	`>=2.7.00,<2.9.10.8`	`2.9.10.8`
Maven	com.fasterxml.jackson.core:jackson-databind	`>=2.0.0,<2.6.7.5`	`2.6.7.5`
MAVEN	com.fasterxml.jackson.core:jackson-databind	`>= 2.0.0, < 2.6.7.5`	`2.6.7.5`
MAVEN	com.fasterxml.jackson.core:jackson-databind	`>= 2.7.00, < 2.9.10.8`	`2.9.10.8`

Application impact

Vendor	Product	Versions	Fixed
fasterxml	jackson-databind	`{"startIncluding":"2.0.0","endExcluding":"2.6.7.5"}`	`2.6.7.5`
netapp	cloud_backup	`-`
netapp	service_level_manager	`-`
oracle	agile_plm	`9.3.6`
oracle	application_testing_suite	`13.3.0.1`
oracle	autovue_for_agile_product_lifecycle_management	`21.0.2`
oracle	banking_corporate_lending_process_management	`14.2`
oracle	banking_corporate_lending_process_management	`14.3`
oracle	banking_corporate_lending_process_management	`14.5`
oracle	banking_credit_facilities_process_management	`14.2`
oracle	banking_credit_facilities_process_management	`14.3`
oracle	banking_credit_facilities_process_management	`14.5`
oracle	banking_extensibility_workbench	`14.2`
oracle	banking_extensibility_workbench	`14.3`
oracle	banking_extensibility_workbench	`14.5`
oracle	banking_supply_chain_finance	`14.2`
oracle	banking_supply_chain_finance	`14.3`
oracle	banking_supply_chain_finance	`14.5`
oracle	banking_treasury_management	`4.4`
oracle	banking_virtual_account_management	`14.2.0`
oracle	banking_virtual_account_management	`14.3.0`
oracle	banking_virtual_account_management	`14.5.0`
oracle	blockchain_platform	`{"endIncluding":"21.1.2"}`
oracle	commerce_platform	`{"startIncluding":"11.3.0","endIncluding":"11.3.2"}`
oracle	commerce_platform	`11.2.0`
oracle	communications_billing_and_revenue_management	`7.5.0.23.0`
oracle	communications_billing_and_revenue_management	`12.0.0.3.0`
oracle	communications_cloud_native_core_policy	`1.14.0`
oracle	communications_cloud_native_core_unified_data_repository	`1.4.0`
oracle	communications_convergent_charging_controller	`12.0.4.0.0`
oracle	communications_diameter_signaling_route	`{"startIncluding":"8.0.0.0","endIncluding":"8.5.0.0"}`
oracle	communications_element_manager	`{"startIncluding":"8.2.0.0","endIncluding":"8.2.4.0"}`
oracle	communications_evolved_communications_application_server	`7.1`
oracle	communications_instant_messaging_server	`10.0.1.5.0`
oracle	communications_network_charging_and_control	`12.0.4.0.0`
oracle	communications_offline_mediation_controller	`12.0.0.3`
oracle	communications_policy_management	`12.5.0`
oracle	communications_pricing_design_center	`12.0.0.4.0`
oracle	communications_services_gatekeeper	`7.0`
oracle	communications_session_report_manager	`{"startIncluding":"8.0.0.0","endIncluding":"8.2.2.1"}`
oracle	communications_session_route_manager	`{"startIncluding":"8.2.0.0","endIncluding":"8.2.2.1"}`
oracle	communications_unified_inventory_management	`7.4.1`
oracle	data_integrator	`12.2.1.4.0`
oracle	documaker	`12.6.0`
oracle	documaker	`12.6.3`
oracle	documaker	`12.6.4`
oracle	goldengate_application_adapters	`19.1.0.0.0`
oracle	insurance_policy_administration	`{"startIncluding":"11.1.0","endIncluding":"11.3.0"}`
oracle	insurance_policy_administration	`11.0.2`
oracle	insurance_rules_palette	`{"startIncluding":"11.1.0","endIncluding":"11.3.0"}`
oracle	insurance_rules_palette	`11.0.2`
oracle	jd_edwards_enterpriseone_orchestrator	`{"endExcluding":"9.2.5.3"}`	`9.2.5.3`
oracle	jd_edwards_enterpriseone_tools	`{"endExcluding":"9.2.5.3"}`	`9.2.5.3`
oracle	primavera_gateway	`{"startIncluding":"17.12.0","endIncluding":"17.12.11"}`
oracle	primavera_gateway	`20.12.0`
oracle	primavera_unifier	`{"startIncluding":"17.7","endIncluding":"17.12"}`
oracle	primavera_unifier	`17.2`
oracle	primavera_unifier	`18.8`
oracle	primavera_unifier	`19.12`
oracle	primavera_unifier	`20.12`
oracle	retail_customer_management_and_segmentation_foundation	`{"startIncluding":"16.0","endIncluding":"19.0"}`
oracle	retail_merchandising_system	`15.0.3`
oracle	retail_service_backbone	`14.1.3.2`
oracle	retail_service_backbone	`15.0.3.1`
oracle	retail_service_backbone	`16.0.3.0`
oracle	retail_xstore_point_of_service	`16.0.6`
oracle	retail_xstore_point_of_service	`17.0.4`
oracle	retail_xstore_point_of_service	`18.0.3`
oracle	retail_xstore_point_of_service	`19.0.2`
oracle	webcenter_portal	`12.2.1.3.0`
oracle	webcenter_portal	`12.2.1.4.0`

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.