CVE-2019-14439

CWE-502Deserialization of Untrusted Data11 documents8 sources
Severity
7.5HIGH
EPSS
10.3%
top 6.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
18
Fasterxml Jackson-databindOracle Global Lifecycle Management OpatchOracle Goldengate Stream Analytics+15 more
Timeline
PublishedJul 30
Latest updateMar 15

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

NVDfasterxml/jackson-databind2.0.02.6.7.3+3
Debianjackson-databind< 2.9.9.3-1+3

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 29, 30

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
jackson-databind vulnerabilities2021-03-15
GHSA
Deserialization of untrusted data in FasterXML jackson-databind2019-08-01
OSV
Deserialization of untrusted data in FasterXML jackson-databind2019-08-01
CVEList
CVE-2019-14439: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 22019-07-30
OSV
CVE-2019-14439: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 22019-07-30

📋Vendor Advisories

3
Ubuntu
Jackson Databind vulnerabilities2021-03-15
Red Hat
jackson-databind: Polymorphic typing issue related to logback/JNDI2019-07-30
Debian
CVE-2019-14439: jackson-databind - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x befo...2019

💬Community

2
Bugzilla
CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI [fedora-all]2019-09-17
Bugzilla
CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI2019-09-17