CVE-2019-14893

Опубликовано: 02 мар. 2020

Источник: nvd

CVSS3: 7.5

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Ссылки

https://access.redhat.com/errata/RHSA-2020:0729
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
Issue Tracking
Patch
Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2469
Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://security.netapp.com/advisory/ntap-20200327-0006/
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0729
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
Issue Tracking
Patch
Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2469
Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://security.netapp.com/advisory/ntap-20200327-0006/
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.8.0 (включая) до 2.8.11.5 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.9.0 (включая) до 2.9.10 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*

Версия до 19.1.0.0.1 (исключая)

EPSS

Процентиль: 67%

0.0054

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-200

CWE-502

Связанные уязвимости

CVE-2019-14893

CVSS3: 9.8

ubuntu

почти 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVE-2019-14893

CVSS3: 7.5

redhat

больше 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVE-2019-14893

CVSS3: 9.8

debian

почти 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions be ...

GHSA-qmqc-x3r4-6v39

github

больше 5 лет назад

Polymorphic deserialization of malicious object in jackson-databind

BDU:2020-04507

CVSS3: 9.8

fstec

почти 6 лет назад

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 67%

0.0054

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-200

CWE-502