VDB

CVE-2019-16942

CVE-2019-16942 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

EPSS 0.43% · 62.7th percentile

Risk Scores

EPSS Score
0.43%
62.7th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSjackson-databind2.4.2-3, 0, 2.4.2-2
Ubuntu:Pro:14.04:LTSjackson-databind2.2.2-1ubuntu0.1~esm1, 2.2.2-1, 0
Ubuntu:18.04:LTSjackson-databind2.9.4-1, 0, 2.9.5-1
Cloudflareaccess

Exploit Intelligence

Timeline

  • Oct 1, 2019 CVE Published
  • Oct 8, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›