cbcvebase.
CVE-2019-17531
published 2019-10-12

CVE-2019-17531: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianjackson-databind< jackson-databind 2.10.1-1 (bookworm)jackson-databind 2.10.1-1 (bookworm)
fasterxmljackson-databind>= 0 < 2.10.1-12.10.1-1
fasterxmljackson-databind>= 0 < 2.10.1-12.10.1-1
fasterxmljackson-databind>= 0 < 2.10.1-12.10.1-1
fasterxmljackson-databind>= 0 < 2.10.1-12.10.1-1
fasterxmljackson-databind>= 0 < 2.4.2-3ubuntu0.1~esm22.4.2-3ubuntu0.1~esm2
fasterxmljackson-databind>= 2.0.0 < 2.6.7.32.6.7.3
fasterxmljackson-databind>= 2.7.0 < 2.8.11.52.8.11.5
fasterxmljackson-databind>= 2.9.0 < 2.9.10.12.9.10.1
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclecommunications_billing_and_revenue_management
oraclecommunications_billing_and_revenue_management
oraclecommunications_calendar_server
oraclecommunications_calendar_server
oraclecommunications_cloud_native_core_network_slice_selection_function
oraclecommunications_evolved_communications_application_server

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL