A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-1943-1 | jackson-databind security update |
![]() |
DSA-4542-1 | jackson-databind security update |
![]() |
EUVD-2019-0747 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
![]() |
GHSA-fmmc-742q-jg75 | jackson-databind polymorphic typing issue |
![]() |
USN-4813-1 | Jackson Databind vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-05T01:24:48.524Z
Reserved: 2019-09-29T00:00:00
Link: CVE-2019-16943

No data.

Status : Modified
Published: 2019-10-01T17:15:10.400
Modified: 2024-11-21T04:31:23.737
Link: CVE-2019-16943


No data.