VDB

CVE-2019-12814

CVE-2019-12814 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

EPSS 18.06% · 95.3th percentile

Risk Scores

EPSS Score
18.06%
95.3th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:14.04:LTSjackson-databind0, 2.2.2-1, 2.2.2-1ubuntu0.1~esm1
Ubuntu:Pro:16.04:LTSjackson-databind2.4.2-3ubuntu0.1~esm1, 0, 2.4.2-2
Ubuntu:18.04:LTSjackson-databind0, 2.8.6-1, 2.9.1-1

Timeline

  • Jun 19, 2019 CVE Published
  • Sep 5, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Nov 8, 2023 EPSS Score
  • Feb 8, 2024 PoC Published
  • Jun 12, 2024 EPSS Score
  • Dec 19, 2024 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 20, 2025 EPSS Score
  • Mar 28, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›