CVE-2019-17531
Severity
9.8CRITICAL
EPSS
1.2%
top 21.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 12
Latest updateJul 15
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages21 packages
Also affects: Debian Linux 8.0
Patches
🔴Vulnerability Details
5📋Vendor Advisories
6Oracle▶
Oracle Oracle Analytics Risk Matrix: Analytics Server (jackson-databind) — CVE-2019-17531↗2023-07-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Build Request (jackson-databind) — CVE-2019-17531↗2020-10-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (jackson-databind) — CVE-2019-17531↗2020-07-15
💬Community
2Bugzilla▶
CVE-2019-17531 jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution [f↗2019-11-21
Bugzilla▶
CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*↗2019-11-21