A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Metrics
- CVSS v4.0 N/A
- CVSS v3.1 9.8 Critical
- CVSS v3.0 7.5 High
- CVSS v2 7.5 High
- KEV no
- EPSS 0.00698
- SSVC no
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
User Interaction None
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
This CVE is not in the KEV list.
The EPSS score is 0.00698.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Fasterxml |
|
Netapp |
|
Oracle |
|
Redhat |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP-CD 19 Tech Preview | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform_cd:19 | RHSA-2020:2333 | 2020-05-28T00:00:00Z |
Red Hat Data Grid 7.3.5 | |||
jackson-databind | cpe:/a:redhat:jboss_data_grid:7.3 | RHSA-2020:0729 | 2020-03-05T00:00:00Z |
Red Hat Decision Manager 7 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_brms_platform:7.7 | RHSA-2020:0899 | 2020-03-18T00:00:00Z |
Red Hat Fuse 7.7.0 | |||
jackson-databind | cpe:/a:redhat:jboss_fuse:7 | RHSA-2020:3192 | 2020-07-28T00:00:00Z |
Red Hat JBoss EAP 7.2 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.2 | RHSA-2020:0164 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
Red Hat Process Automation 7 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.7 | RHSA-2020:0895 | 2020-03-18T00:00:00Z |
Red Hat Single Sign-On 7.3 | |||
jackson-databind | cpe:/a:redhat:jboss_single_sign_on:7.3 | RHSA-2020:0445 | 2020-02-06T00:00:00Z |
Text-Only RHOAR | |||
cpe:/a:redhat:openshift_application_runtimes:1.0 | RHSA-2020:2067 | 2020-05-18T00:00:00Z |
No data.
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-05T00:26:39.152Z
Reserved: 2019-08-10T00:00:00
Link: CVE-2019-14893

No data.

Status : Modified
Published: 2020-03-02T21:15:17.520
Modified: 2024-11-21T04:27:37.670
Link: CVE-2019-14893


No data.