CVE-2020-11620: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). The vulnerability was disclosed in April 2020 and affects jackson-databind versions from 2.0.0 up to (excluding) 2.9.10.4 (NVD, GitHub Issue).

The vulnerability has a CVSS v3.1 base score of 8.1 HIGH with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper handling of the interaction between serialization gadgets and typing, specifically related to the org.apache.commons.jelly.impl.Embedded class. This vulnerability is part of a series of similar deserialization issues in jackson-databind (NVD).

If successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability requires network access but no authentication, making it particularly concerning for exposed applications (NetApp Advisory).

The primary mitigation is to upgrade to jackson-databind version 2.9.10.4 or later. For versions 2.10 and above, the vulnerability is mitigated by default as Safe Default Typing is enabled. If upgrading is not immediately possible, it is recommended to avoid using default typing and avoid using java.lang.Object as the nominal type for polymorphic values (Jackson Blog).

Multiple organizations issued security advisories regarding this vulnerability, including NetApp and Oracle. Oracle included fixes for this vulnerability in their Critical Patch Updates (Oracle CPU Jan 2021, Oracle CPU Jul 2020, Oracle CPU Oct 2020).