VDB

CVE-2019-12086

CVE-2019-12086 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

EPSS 15.52% · 94.8th percentile

Risk Scores

EPSS Score
15.52%
94.8th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:14.04:LTSjackson-databind0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:18.04:LTSjackson-databind2.9.1-1, 2.9.4-1, *
Ubuntu:Pro:16.04:LTSjackson-databind0, 2.4.2-3, 2.4.2-3ubuntu0.1~esm1
AWSconnect

Exploit Intelligence

…and 21 more exploits

Timeline

  • CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 15, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Jan 8, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • May 13, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›