CVE-2019-12814 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-12814 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

EPSS 18.34% · 95.2th percentile

Risk Scores

EPSS Score

18.34%

95.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:14.04:LTS	jackson-databind	0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:Pro:16.04:LTS	jackson-databind	0, 2.4.2-2, 2.4.2-3
Ubuntu:18.04:LTS	jackson-databind	0, 2.8.6-1, 2.9.1-1

Timeline

Jun 19, 2019 CVE Published
Sep 5, 2019 CVE Updated
Apr 14, 2021 EPSS Score
Mar 7, 2023 EPSS Score
Nov 8, 2023 EPSS Score
Feb 8, 2024 PoC Published
Jun 12, 2024 EPSS Score
Dec 19, 2024 EPSS Score
Mar 17, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 30, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-12814 third-party-advisory
https://github.com/FasterXML/jackson-databind/issues/2341 third-party-advisory
https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5 third-party-advisory
https://ubuntu.com/security/notices/USN-4813-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-12814 third-party-advisory

Open in Interactive Console →