VDB

CVE-2019-17531

CVE-2019-17531 PUBLISHED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

EPSS 1.22% · 79.5th percentile

Risk Scores

EPSS Score
1.22%
79.5th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSjackson-databind2.9.5-1, 2.8.6-1, 0
Ubuntu:Pro:14.04:LTSjackson-databind2.2.2-1, 0, 2.2.2-1ubuntu0.1~esm1
Cloudflareaccess
Ubuntu:Pro:16.04:LTSjackson-databind0, 2.4.2-3ubuntu0.1~esm1, 2.4.2-3

Exploit Intelligence

Timeline

  • Oct 12, 2019 CVE Published
  • Oct 24, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›