CVE-2020-5411— Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets"
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-5411
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets"
Source: NVD (National Vulnerability Database)
Vulnerability Description
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true: * Spring Batch's Jackson support is being leveraged to serialize a job's ExecutionContext. * A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack, Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown "deserialization gadgets" when enabling default typing.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Batch 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring Batch是美国威睿(VMware)公司的一款用于大量数据并行处理的轻量级框架。 VMware Spring Batch 4.0.0版本至4.0.4版本、4.1.0版本至4.1.4版本和4.2.0版本至4.2.2版本中的Jackson配置存在代码问题漏洞。攻击者可利用该漏洞执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring by VMware | Spring Batch | 4 ~ 4.2.3 | - |
II. Public POCs for CVE-2020-5411
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-5411
请登录查看更多情报信息。
- https://tanzu.vmware.com/security/cve-2020-5411x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2020-5411
IV. Related Vulnerabilities
Same vendor: Spring by VMware
- CVE-2020-5427
Possibility of SQL Injection in Spring Cloud Data Flow Task - CVE-2020-5428
Possibility of SQL Injection in Spring Cloud Task Execution - CVE-2020-5421
RFD Protection Bypass via jsessionid - CVE-2020-5412
Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dash - CVE-2020-5413
Kryo Configuration Allows Code Execution with Unknown "Seria
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2020-5411
No comments yet