CVE-2019-12384
Published
CVSS v3
5.9
MEDIUM
CVSS v2
4.3
MEDIUM
Affected
1
PROJECT
Description
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
General data-binding package for Jackson: works on streaming API (core) implementation(s)
GitHub