CVE-2019-16943: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Affected

58 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.10.0-2 (bookworm)	jackson-databind 2.10.0-2 (bookworm)
fasterxml	jackson-databind	>= 0 < 2.10.0-2	2.10.0-2
fasterxml	jackson-databind	>= 0 < 2.10.0-2	2.10.0-2
fasterxml	jackson-databind	>= 0 < 2.10.0-2	2.10.0-2
fasterxml	jackson-databind	>= 0 < 2.10.0-2	2.10.0-2
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	>= 2.0.0 < 2.6.7.3	2.6.7.3
fasterxml	jackson-databind	>= 2.7.0 < 2.8.11.5	2.8.11.5
fasterxml	jackson-databind	>= 2.9.0 < 2.9.10.1	2.9.10.1
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
netapp	active_iq_unified_manager	>= 7.3	—
netapp	active_iq_unified_manager	>= 9.5	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL