CVE-2019-12086
Severity
7.5HIGH
EPSS
15.5%
top 5.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 17
Latest updateMay 24
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 8.0, 9.0
Patches
🔴Vulnerability Details
6CVEList▶
CVE-2019-12086: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2↗2019-05-17
📋Vendor Advisories
7Oracle▶
Oracle Oracle GoldenGate Risk Matrix: Internal Framework (jackson-databind) — CVE-2019-12086↗2022-04-15
Oracle▶
Oracle Oracle Retail Applications Risk Matrix: Segment (jackson-databind) — CVE-2019-12086↗2020-07-15
Oracle▶
Oracle Oracle JD Edwards Risk Matrix: E1 IOT Orchestrator Security (jackson-databind) — CVE-2019-12086↗2020-01-15
Red Hat
▶
💬Community
3Bugzilla▶
CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-07-18
Bugzilla▶
CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. [fedora-all]↗2019-05-23
Bugzilla▶
CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.↗2019-05-23