VDB
CVE-2019-14893
CVE-2019-14893
PUBLISHED
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
EPSS 0.98% · 77.1th percentile
Risk Scores
EPSS Score
0.98%
77.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:14.04:LTS | jackson-databind | 2.2.2-1, 2.2.2-1ubuntu0.1~esm1, 0 |
| Ubuntu:18.04:LTS | jackson-databind | 0, 2.8.6-1, 2.9.1-1 |
Timeline
- Mar 2, 2020 CVE Published
- Mar 4, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-14893 third-party-advisory
- https://github.com/FasterXML/jackson-databind/issues/2469 third-party-advisory
- https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-14893 third-party-advisory
- Multiples vulnérabilités dans les produits IBM advisory