cbcvebase.
CVE-2019-12384
published 2019-06-24

CVE-2019-12384: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from…

PriorityP349medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
45.20%
98.6th percentile
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Affected

16 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianjackson-databind< jackson-databind 2.9.8-3 (bookworm)jackson-databind 2.9.8-3 (bookworm)
fasterxmljackson-databind>= 0 < 2.9.8-32.9.8-3
fasterxmljackson-databind>= 0 < 2.9.8-32.9.8-3
fasterxmljackson-databind>= 0 < 2.9.8-32.9.8-3
fasterxmljackson-databind>= 0 < 2.9.8-32.9.8-3
fasterxmljackson-databind>= 0 < 2.4.2-3ubuntu0.1~esm22.4.2-3ubuntu0.1~esm2
fasterxmljackson-databind>= 2.0.0 < 2.6.7.32.6.7.3
fasterxmljackson-databind>= 2.7.0 < 2.7.9.62.7.9.6
fasterxmljackson-databind>= 2.8.0 < 2.8.11.42.8.11.4
fasterxmljackson-databind>= 2.9.0 < 2.9.9.12.9.9.1
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit requires the logback-core gadget class (ch.qos.logback.core) to be present in the application ClassPath for polymorphic deserialization abuse
  • Detect use of enableDefaultTyping() in ObjectMapper configuration — a prerequisite for exploitation
  • Detect @JsonTypeInfo annotations using Id.CLASS or Id.MINIMAL_CLASS — these configurations are prerequisites for exploitation
  • Flag deserialization of untrusted/external JSON input in applications using jackson-databind 2.x before 2.9.9.1 with logback-core on the classpath
  • ·Exploitation requires logback-core (ch.qos.logback.core) to be present on the classpath; applications without it are not impacted regardless of jackson-databind version
  • ·Exploitation requires one of three insecure deserialization configurations: enableDefaultTyping(), @JsonTypeInfo with Id.CLASS, or @JsonTypeInfo with Id.MINIMAL_CLASS
  • ·Red Hat OpenStack OpenDaylight is not affected because logback is not used in any supported configuration

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.