CVE-2019-12384

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
5.9 MEDIUM
CVSS v2:
4.3 MEDIUM

Description

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.7.9.5 (including)*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.3 (including)*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.9.1*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*n/an/a8.0
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*n/an/a7.4
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*n/an/a7.0
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*n/an/a7.5
cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*n/an/a7.6
cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*n/an/a7.7
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.7.9.6*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.4*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.0.0 (including)2.6.7.3*

External Links