Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2019-14893

Опубликовано: 02 мар. 2020
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 7.5
CVSS3: 9.8

Описание

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needed
devel

not-affected

2.10.0-2
disco

ignored

end of life
eoan

ignored

end of life
esm-apps/bionic

needed

esm-apps/focal

not-affected

2.10.0-2
esm-apps/jammy

not-affected

2.10.0-2
esm-apps/noble

not-affected

2.10.0-2
esm-apps/xenial

not-affected

code not present
esm-infra-legacy/trusty

needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 67%
0.0054
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3

Связанные уязвимости

redhat логотип

CVE-2019-14893

CVSS3: 7.5
redhat
больше 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

nvd логотип

CVE-2019-14893

CVSS3: 9.8
nvd
почти 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

debian логотип

CVE-2019-14893

CVSS3: 9.8
debian
почти 6 лет назад

A flaw was discovered in FasterXML jackson-databind in all versions be ...

github логотип

GHSA-qmqc-x3r4-6v39

github
больше 5 лет назад

Polymorphic deserialization of malicious object in jackson-databind

fstec логотип

BDU:2020-04507

CVSS3: 9.8
fstec
почти 6 лет назад

Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 67%
0.0054
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3