Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-14892

Опубликовано: 19 сент. 2019
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Отчет

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat Enterprise Linux 8pki-deps:10.6/jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss Data Virtualization 6jackson-databindOut of support scope
Red Hat JBoss Fuse 6jackson-databindOut of support scope
Red Hat Mobile Application Platform 4jackson-databindOut of support scope
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesWill not fix
Red Hat OpenShift Container Platform 3.10openshift-elasticsearch-pluginWill not fix
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502->CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1758171jackson-databind: Serialization gadgets in classes of the commons-configuration package

EPSS

Процентиль: 75%
0.00873
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-14892

CVSS3: 9.8
ubuntu
почти 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

nvd логотип

CVE-2019-14892

CVSS3: 9.8
nvd
почти 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

debian логотип

CVE-2019-14892

CVSS3: 9.8
debian
почти 6 лет назад

A flaw was discovered in jackson-databind in versions before 2.9.10, 2 ...

github логотип

GHSA-cf6r-3wgc-h863

CVSS3: 7.5
github
больше 5 лет назад

Polymorphic deserialization of malicious object in jackson-databind

fstec логотип

BDU:2021-02953

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 75%
0.00873
Низкий

7.5 High

CVSS3