CVE-2019-12384 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-12384 PUBLISHED

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

EPSS 51.67% · 97.9th percentile

Risk Scores

EPSS Score

51.67%

97.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:14.04:LTS	jackson-databind	0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:18.04:LTS	jackson-databind	2.9.8-1~18.04, 2.8.6-1, 2.9.1-1
Ubuntu:Pro:16.04:LTS	jackson-databind	2.4.2-2, 2.4.2-3, 2.4.2-3ubuntu0.1~esm1

Timeline

Jun 24, 2019 CVE Published
Apr 14, 2021 EPSS Score
Jun 28, 2021 PoC Published
Dec 11, 2021 PoC Published
Dec 13, 2021 PoC Published
Dec 18, 2021 PoC Published
Apr 7, 2022 PoC Published
Jun 7, 2022 PoC Published
Sep 16, 2022 PoC Published
Mar 7, 2023 EPSS Score
Sep 14, 2023 EPSS Score
Oct 21, 2023 PoC Published

References

https://ubuntu.com/security/CVE-2019-12384 third-party-advisory
https://github.com/FasterXML/jackson-databind/issues/2334 third-party-advisory
https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234 third-party-advisory
https://ubuntu.com/security/notices/USN-4813-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-12384 third-party-advisory

Open in Interactive Console →