cbcvebase.
CVE-2019-16942
published 2019-10-01

CVE-2019-16942: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Affected

65 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianjackson-databind< jackson-databind 2.10.0-2 (bookworm)jackson-databind 2.10.0-2 (bookworm)
fasterxmljackson-databind>= 0 < 2.10.0-22.10.0-2
fasterxmljackson-databind>= 0 < 2.10.0-22.10.0-2
fasterxmljackson-databind>= 0 < 2.10.0-22.10.0-2
fasterxmljackson-databind>= 0 < 2.10.0-22.10.0-2
fasterxmljackson-databind>= 0 < 2.4.2-3ubuntu0.1~esm22.4.2-3ubuntu0.1~esm2
fasterxmljackson-databind>= 2.0.0 < 2.6.7.32.6.7.3
fasterxmljackson-databind>= 2.8.0 < 2.8.11.52.8.11.5
fasterxmljackson-databind>= 2.9.0 < 2.9.10.12.9.10.1
fedoraprojectfedora
fedoraprojectfedora
libsndfile_projectlibsndfile>= 0 < 1.0.25-10ubuntu0.16.04.31.0.25-10ubuntu0.16.04.3
libsndfile_projectlibsndfile>= 0 < 1.0.25-7ubuntu2.2+esm11.0.25-7ubuntu2.2+esm1
netappactive_iq_unified_manager>= 7.3
netappactive_iq_unified_manager>= 9.5
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL