ID CVE-2019-14439
Summary A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
References
Vulnerable Configurations
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.10:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.10:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.9.1:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
rhsa
id RHSA-2019:3200
refmap via4
bugtraq 20191007 [SECURITY] [DSA 4542-1] jackson-databind security update
confirm https://security.netapp.com/advisory/ntap-20190814-0001/
debian DSA-4542
fedora
  • FEDORA-2019-ae6a703b8f
  • FEDORA-2019-fb23eccc03
misc
mlist
  • [cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities
  • [debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update
  • [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
  • [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html
  • [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html
  • [struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204
  • [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
  • [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439
Last major update 24-08-2020 - 17:37
Published 30-07-2019 - 11:15
Last modified 24-08-2020 - 17:37
Back to Top