CVE-2019-14893

CWE-200Information ExposureCWE-502Deserialization of Untrusted Data8 documents7 sources
Severity
9.8CRITICAL
EPSS
1.0%
top 23.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fasterxml Jackson-databindOracle Goldengate Stream AnalyticsRED HAT Jackson-databind
Timeline
PublishedMar 2
Latest updateMay 15

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrar

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

NVDfasterxml/jackson-databind2.8.02.8.11.5+1
Debianjackson-databind< 2.10.0-1+3
CVEListV5red_hat/jackson-databind2.10.0, 2.9.10+1

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
Polymorphic deserialization of malicious object in jackson-databind2020-05-15
GHSA
Polymorphic deserialization of malicious object in jackson-databind2020-05-15
OSV
CVE-2019-14893: A flaw was discovered in FasterXML jackson-databind in all versions before 22020-03-02
CVEList
CVE-2019-14893: A flaw was discovered in FasterXML jackson-databind in all versions before 22020-03-02

📋Vendor Advisories

2
Red Hat
jackson-databind: Serialization gadgets in classes of the xalan package2019-09-20
Debian
CVE-2019-14893: jackson-databind - A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.1...2019

💬Community

1
Bugzilla
CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package2019-10-03
CVE-2019-14893 (CRITICAL CVSS 9.8) | A flaw was discovered in FasterXML | cvebase.io