FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
The lowerbound of 0 appears to be incorrect. It should be 2.0.0 according to the description. That is also closer to what NIST currently has for the CVE:
I'm not certain where NIST came up with that extra version range, but I digress.
Anyway, I think there are about 10 other jackson-databind CVE that suffer from the same issue (CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, etc.)
The description for CVE-2020-36181 says:
But the CISA ADP has:
The lowerbound of 0 appears to be incorrect. It should be 2.0.0 according to the description. That is also closer to what NIST currently has for the CVE:
I'm not certain where NIST came up with that extra version range, but I digress.
Anyway, I think there are about 10 other jackson-databind CVE that suffer from the same issue (CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, etc.)