CVE-2019-12384

Опубликовано: 24 июн. 2019

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Средний

Описание

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Ссылки

https://access.redhat.com/errata/RHSA-2019:1820
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2720
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2935
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2936
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2937
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2938
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2998
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3200
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3292
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3297
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3901
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352
Third Party Advisory
https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
Third Party Advisory
https://doyensec.com/research.html
Third Party Advisory
https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad
Patch
Third Party Advisory
https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.6.7.3 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.7.0 (включая) до 2.7.9.6 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.8.0 (включая) до 2.8.11.4 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.9.0 (включая) до 2.9.9.1 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*

EPSS

Процентиль: 98%

0.51675

Средний

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-502

Связанные уязвимости

CVE-2019-12384

CVSS3: 5.9

ubuntu

почти 6 лет назад

CVE-2019-12384

CVSS3: 8.1

redhat

почти 6 лет назад

CVE-2019-12384

CVSS3: 5.9

debian

почти 6 лет назад

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...

RLSA-2019:2720

rocky

почти 6 лет назад

Important: pki-deps:10.6 security update

GHSA-mph4-vhrx-mv67

CVSS3: 5.9

github

почти 6 лет назад

Deserialization of Untrusted Data in FasterXML jackson-databind

EPSS

Процентиль: 98%

0.51675

Средний

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-502