CVE-2019-10202Deserialization of Untrusted Data in Redhat Codehaus

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
7.2%
top 8.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat CodehausRedhat Jboss Enterprise Application Platform
Timeline
PublishedOct 1
Latest updateMay 24

Description

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5redhat/codehausCodehaus 1.9.x

🔴Vulnerability Details

3
GHSA
Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl2022-05-24
OSV
Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl2022-05-24
CVEList
CVE-2019-10202: A series of deserialization vulnerabilities have been discovered in Codehaus 12019-10-01

📋Vendor Advisories

1
Red Hat
codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities2019-09-30

💬Community

1
Bugzilla
CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities2019-07-18
CVE-2019-10202 — Deserialization of Untrusted Data | cvebase