CVE-2019-12384
published 2019-06-24CVE-2019-12384: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from…
PriorityP349medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
45.20%
98.6th percentile
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | jackson-databind | < jackson-databind 2.9.8-3 (bookworm) | jackson-databind 2.9.8-3 (bookworm) |
| fasterxml | jackson-databind | >= 0 < 2.9.8-3 | 2.9.8-3 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-3 | 2.9.8-3 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-3 | 2.9.8-3 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-3 | 2.9.8-3 |
| fasterxml | jackson-databind | >= 0 < 2.4.2-3ubuntu0.1~esm2 | 2.4.2-3ubuntu0.1~esm2 |
| fasterxml | jackson-databind | >= 2.0.0 < 2.6.7.3 | 2.6.7.3 |
| fasterxml | jackson-databind | >= 2.7.0 < 2.7.9.6 | 2.7.9.6 |
| fasterxml | jackson-databind | >= 2.8.0 < 2.8.11.4 | 2.8.11.4 |
| fasterxml | jackson-databind | >= 2.9.0 < 2.9.9.1 | 2.9.9.1 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires the logback-core gadget class (ch.qos.logback.core) to be present in the application ClassPath for polymorphic deserialization abuse ↗
- →Detect use of enableDefaultTyping() in ObjectMapper configuration — a prerequisite for exploitation ↗
- →Detect @JsonTypeInfo annotations using Id.CLASS or Id.MINIMAL_CLASS — these configurations are prerequisites for exploitation ↗
- →Flag deserialization of untrusted/external JSON input in applications using jackson-databind 2.x before 2.9.9.1 with logback-core on the classpath ↗
- ·Exploitation requires logback-core (ch.qos.logback.core) to be present on the classpath; applications without it are not impacted regardless of jackson-databind version ↗
- ·Exploitation requires one of three insecure deserialization configurations: enableDefaultTyping(), @JsonTypeInfo with Id.CLASS, or @JsonTypeInfo with Id.MINIMAL_CLASS ↗
- ·Red Hat OpenStack OpenDaylight is not affected because logback is not used in any supported configuration ↗
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
jackson-databind vulnerabilities
osv·2021-03-15·CVSS 9.8
CVE-2018-11307 [CRITICAL] jackson-databind vulnerabilities
jackson-databind vulnerabilities
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
arbitrary code or other unspecified impact. (CVE-2018-12022,
CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362, CVE-2019-12384, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969,
CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2
GHSA
Deserialization of Untrusted Data in FasterXML jackson-databind
ghsa·2019-07-05
CVE-2019-12384 [MEDIUM] CWE-502 Deserialization of Untrusted Data in FasterXML jackson-databind
Deserialization of Untrusted Data in FasterXML jackson-databind
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
OSV
Deserialization of Untrusted Data in FasterXML jackson-databind
osv·2019-07-05
CVE-2019-12384 [MEDIUM] Deserialization of Untrusted Data in FasterXML jackson-databind
Deserialization of Untrusted Data in FasterXML jackson-databind
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
OSV
CVE-2019-12384: FasterXML jackson-databind 2
osv·2019-06-24·CVSS 5.9
CVE-2019-12384 [MEDIUM] CVE-2019-12384: FasterXML jackson-databind 2
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Ubuntu
Jackson Databind vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 9.8
CVE-2019-14540 [CRITICAL] Jackson Databind vulnerabilities
Title: Jackson Databind vulnerabilities
Summary: Several security issues were fixed in Jackson Databind.
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
arbitrary code or other unspecified impact. (CVE-2018-12022,
CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362, CVE-2019-12384, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-109
Red Hat
jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
vendor_redhat·2019-06-21·CVSS 5.9
CVE-2019-12384 [MEDIUM] CWE-502 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantia
Debian
CVE-2019-12384: jackson-databind - FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a va...
vendor_debian·2019·CVSS 5.9
CVE-2019-12384 [MEDIUM] CVE-2019-12384: jackson-databind - FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a va...
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Scope: local
bookworm: resolved (fixed in 2.9.8-3)
bullseye: resolved (fixed in 2.9.8-3)
forky: resolved (fixed in 2.9.8-3)
sid: resolved (fixed in 2.9.8-3)
trixie: resolved (fixed in 2.9.8-3)
No detection rules found.
No public exploits indexed.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
Bugzilla
CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [fedora-all]
bugzilla·2019-07-01·CVSS 5.9
CVE-2019-12384 [MEDIUM] CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [fedora-all]
CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fe
Bugzilla
CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
bugzilla·2019-07-01·CVSS 5.9
CVE-2019-12384 [MEDIUM] CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2334
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
References:
https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
Discussion:
Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1725808]
---
OpenDaylight in Red Hat
https://access.redhat.com/errata/RHSA-2019:1820https://access.redhat.com/errata/RHSA-2019:2720https://access.redhat.com/errata/RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2935https://access.redhat.com/errata/RHSA-2019:2936https://access.redhat.com/errata/RHSA-2019:2937https://access.redhat.com/errata/RHSA-2019:2938https://access.redhat.com/errata/RHSA-2019:2998https://access.redhat.com/errata/RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3200https://access.redhat.com/errata/RHSA-2019:3292https://access.redhat.com/errata/RHSA-2019:3297https://access.redhat.com/errata/RHSA-2019:3901https://access.redhat.com/errata/RHSA-2019:4352https://blog.doyensec.com/2019/07/22/jackson-gadgets.htmlhttps://doyensec.com/research.htmlhttps://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aadhttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Ehttps://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3Ehttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/https://seclists.org/bugtraq/2019/Oct/6https://security.netapp.com/advisory/ntap-20190703-0002/https://www.debian.org/security/2019/dsa-4542https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://access.redhat.com/errata/RHSA-2019:1820https://access.redhat.com/errata/RHSA-2019:2720https://access.redhat.com/errata/RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2935https://access.redhat.com/errata/RHSA-2019:2936https://access.redhat.com/errata/RHSA-2019:2937https://access.redhat.com/errata/RHSA-2019:2938https://access.redhat.com/errata/RHSA-2019:2998https://access.redhat.com/errata/RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3200https://access.redhat.com/errata/RHSA-2019:3292https://access.redhat.com/errata/RHSA-2019:3297https://access.redhat.com/errata/RHSA-2019:3901https://access.redhat.com/errata/RHSA-2019:4352https://blog.doyensec.com/2019/07/22/jackson-gadgets.htmlhttps://doyensec.com/research.htmlhttps://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aadhttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Ehttps://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3Ehttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/https://seclists.org/bugtraq/2019/Oct/6https://security.netapp.com/advisory/ntap-20190703-0002/https://www.debian.org/security/2019/dsa-4542https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
2019-06-24
Published