CVE-2019-12814
Severity
5.9MEDIUM
EPSS
18.1%
top 4.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 19
Latest updateMar 15
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 8.0
Patches
🔴Vulnerability Details
5📋Vendor Advisories
4Oracle▶
Oracle Oracle Retail Applications Risk Matrix: Segment (jackson-databind) — CVE-2019-12814↗2020-01-15
Red Hat▶
jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.↗2019-06-04
Debian▶
CVE-2019-12814: jackson-databind - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x thro...↗2019
💬Community
2Bugzilla▶
CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.↗2019-07-01
Bugzilla▶
CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. [fedora-all]↗2019-07-01