Vulnerability DatabaseCVE-2021-20190

CVE-2021-20190:
Java vulnerability analysis and mitigation

Overview

A flaw was found in jackson-databind before version 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing, specifically related to javax.swing. The vulnerability was discovered in late 2020 and publicly disclosed on January 19, 2021. This vulnerability affects multiple products that use the jackson-databind library, including various Apache, NetApp, and Oracle products (NVD, MITRE).

Technical details

The vulnerability is related to unsafe deserialization in jackson-databind when Default Typing is enabled. Starting from the 2.10 series, this issue is mitigated as Safe Default Typing is enabled by default, but it remains an issue when Default Typing is explicitly enabled. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (Security Tracker, NVD).

Impact

The vulnerability poses significant risks to data confidentiality, integrity, and system availability. When successfully exploited, it could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability is particularly concerning in applications that enable Default Typing and process untrusted input (NetApp Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to jackson-databind version 2.9.10.7 or later. For version 2.10.0 and later, the vulnerability is not considered valid due to Safe Default Typing being enabled by default. If upgrading is not immediately possible, recommended workarounds include avoiding deserialization from untrusted sources, disabling Default Typing, and avoiding javax.swing in the classpath (GitHub Issue).

Community reactions

Multiple vendors have responded to this vulnerability by releasing security advisories and patches, including NetApp, Oracle, and Red Hat. Oracle included fixes for this vulnerability in their July 2021 Critical Patch Update. NetApp has provided specific guidance for their affected products, while some products were marked as not affected or received no fixes due to end-of-availability (NetApp Advisory, Oracle CPU).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

8.1

Score

Published January 19, 2021

Severity HIGH

CNA Score N/A

Affected Technologies

Java
NixOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 63.5

Exploitation Probability (EPSS) 0.5

Affected packages and libraries

cpe:2.3:a:apache:nifi
openshift4::ose-logging-elasticsearch6@sha256:1e76b161ee4766eb802a32dfed7a4cf2ef88fb0651cbb1774439d8ff5beb3abf_amd64

Sources

Debian Security Tracker
- Debian 9, 10, 11, 12 Severity HIGHHas FixAdded at: Nov 23, 2021
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
GitHub Advisory Database
- Maven Severity HIGHHas FixAdded at: Nov 23, 2021
Homebrew
- Homebrew Severity HIGHNo FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHNo FixAdded at: Oct 10, 2023
Red Hat Errata
- Red Hat 8 Severity MEDIUMNo FixAdded at: Mar 27, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Sep 10, 2024
- Windows Severity HIGHHas FixAdded at: Sep 10, 2024