CVE-2019-16943

CWE-502Deserialization of Untrusted Data14 documents9 sources
Severity
9.8CRITICAL
EPSS
1.8%
top 17.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
22
Fasterxml Jackson-databindOracle Primavera GatewayOracle Siebel Engineering - Installer \& Deployment+19 more
Timeline
PublishedOct 1
Latest updateMar 15

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages22 packages

NVDfasterxml/jackson-databind2.0.02.6.7.3+2
Debianjackson-databind< 2.10.0-2+3
NVDoracle/primavera_gateway17.717.12.6+4

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 30, 31

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
jackson-databind vulnerabilities2021-03-15
OSV
jackson-databind polymorphic typing issue2019-11-13
GHSA
jackson-databind polymorphic typing issue2019-11-13
CVEList
CVE-2019-16943: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 22019-10-01
OSV
CVE-2019-16943: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 22019-10-01

📋Vendor Advisories

6
Ubuntu
Jackson Databind vulnerabilities2021-03-15
Oracle
Oracle Oracle Database Server Risk Matrix: TFA (jackson-databind) — CVE-2019-169432020-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Administration (jackson-databind) — CVE-2019-169432020-04-15
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 IOT Orchestrator Security (jackson-databind) — CVE-2019-169432020-01-15
Red Hat
jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource2019-09-27

💬Community

2
Bugzilla
CVE-2019-16943 jackson-databind: Serialization gadgets in classes of the p6spy package [fedora-all]2019-10-03
Bugzilla
CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource2019-10-03
CVE-2019-16943 (CRITICAL CVSS 9.8) | A Polymorphic Typing issue was disc | cvebase.io