CVE-2020-11619

high

Published 2020-04-07 · Modified 2026-05-06

CVSS v3

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.8

VIR risk

8.1

Description

jackson-databind mishandles the interaction between serialization gadgets and typing

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-11619

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/FasterXML/jackson-databind/issues/2680

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`2.11.1-1`
debian	bullseye	fixed	`2.11.1-1`
debian	forky	fixed	`2.11.1-1`
debian	sid	fixed	`2.11.1-1`
debian	trixie	fixed	`2.11.1-1`
debian	8.0	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	com.fasterxml.jackson.core:jackson-databind	`>=2.9.0,<2.9.10.4`	`2.9.10.4`
MAVEN	com.fasterxml.jackson.core:jackson-databind	`>= 2.9.0, <= 2.9.10.3`	`2.9.10.4`

Application impact

Vendor	Product	Versions	Fixed
fasterxml	jackson-databind	`{"startIncluding":"2.0.0","endExcluding":"2.9.10.4"}`	`2.9.10.4`
netapp	active_iq_unified_manager	`{"startIncluding":"7.3"}`
netapp	steelstore_cloud_integrated_storage	`-`
oracle	agile_plm	`9.3.6`
oracle	banking_platform	`{"startIncluding":"2.4.0","endIncluding":"2.9.0"}`
oracle	communications_calendar_server	`8.0.0.4.0`
oracle	communications_contacts_server	`8.0.0.4.0`
oracle	communications_contacts_server	`8.0.0.5.0`
oracle	communications_diameter_signaling_router	`{"startIncluding":"8.0.0","endIncluding":"8.2.2"}`
oracle	communications_evolved_communications_application_server	`7.1`
oracle	communications_instant_messaging_server	`10.0.1.4.0`
oracle	communications_network_charging_and_control	`{"startIncluding":"12.0.0","endIncluding":"12.0.3"}`
oracle	communications_network_charging_and_control	`6.0.1`
oracle	enterprise_manager_base_platform	`13.3.0.0`
oracle	enterprise_manager_base_platform	`13.4.0.0`
oracle	global_lifecycle_management_opatch	`{"endExcluding":"12.2.0.1.20"}`	`12.2.0.1.20`
oracle	jd_edwards_enterpriseone_orchestrator	`{"endExcluding":"9.2.4.2"}`	`9.2.4.2`
oracle	jd_edwards_enterpriseone_tools	`{"endExcluding":"9.2.4.2"}`	`9.2.4.2`
oracle	primavera_unifier	`{"startIncluding":"17.7","endIncluding":"17.12"}`
oracle	primavera_unifier	`16.1`
oracle	primavera_unifier	`16.2`
oracle	primavera_unifier	`18.8`
oracle	primavera_unifier	`19.12`
oracle	retail_merchandising_system	`15.0`
oracle	retail_sales_audit	`14.1`
oracle	retail_xstore_point_of_service	`15.0`
oracle	retail_xstore_point_of_service	`16.0`
oracle	retail_xstore_point_of_service	`17.0`
oracle	retail_xstore_point_of_service	`18.0`
oracle	retail_xstore_point_of_service	`19.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.