CVE-2019-12086 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-12086 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

EPSS 15.50% · 94.6th percentile

Risk Scores

EPSS Score

15.50%

94.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:14.04:LTS	jackson-databind	0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:18.04:LTS	jackson-databind	0, 2.8.6-1, 2.9.1-1
Ubuntu:Pro:16.04:LTS	jackson-databind	2.4.2-2, 2.4.2-3, 2.4.2-3ubuntu0.1~esm1
AWS	connect

Timeline

May 17, 2019 CVE Published
Apr 14, 2021 EPSS Score
Jun 15, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 5, 2023 EPSS Score
Mar 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2019-12086 third-party-advisory
http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ third-party-advisory
https://github.com/FasterXML/jackson-databind/issues/2326 third-party-advisory
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 third-party-advisory
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 third-party-advisory
https://ubuntu.com/security/notices/USN-4813-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-12086 third-party-advisory

Open in Interactive Console →