Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-14892

Опубликовано: 02 мар. 2020
Источник: debian
EPSS Низкий

Описание

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
jackson-databindfixed2.10.0-1package
jackson-databindfixed2.9.8-3+deb10u1busterpackage
jackson-databindfixed2.8.6-1+deb9u6stretchpackage
jackson-databindfixed2.4.2-2+deb8u9jessiepackage

Примечания

  • https://github.com/FasterXML/jackson-databind/issues/2462

  • https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af

  • https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b

EPSS

Процентиль: 75%
0.00873
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2019-14892

CVSS3: 9.8
ubuntu
почти 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

redhat логотип

CVE-2019-14892

CVSS3: 7.5
redhat
больше 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

nvd логотип

CVE-2019-14892

CVSS3: 9.8
nvd
почти 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

github логотип

GHSA-cf6r-3wgc-h863

CVSS3: 7.5
github
больше 5 лет назад

Polymorphic deserialization of malicious object in jackson-databind

fstec логотип

BDU:2021-02953

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 75%
0.00873
Низкий