CVE-2019-14379

FasterXML/jackson-databind

on github

Published

July 29, 2019

Severity

CVSS v3:

9.8 CRITICAL

CVSS v2:

7.5 HIGH

Description

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

References

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.9.0 (including)	2.9.9.2	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.7.0 (including)	2.7.9.6	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.8.0 (including)	2.8.11.4	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.6.0 (including)	2.6.7.3	*
cpe:2.3:o:debian:debian_linux:8.0:::::::*	n/a	n/a	8.0
cpe:2.3:a:netapp:snapcenter:-:::::::*	n/a	n/a	-
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*	n/a	n/a	-
cpe:2.3:a:netapp:service_level_manager:-:::::::*	n/a	n/a	-
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3 (including)	n/a	*
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5 (including)	n/a	*
cpe:2.3:a:netapp:active_iq_unified_manager::::::linux::*	7.3 (including)	n/a	*
cpe:2.3:o:fedoraproject:fedora:29:::::::*	n/a	n/a	29
cpe:2.3:o:fedoraproject:fedora:30:::::::*	n/a	n/a	30
cpe:2.3:o:fedoraproject:fedora:31:::::::*	n/a	n/a	31
cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*	n/a	n/a	3.11
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*	n/a	n/a	15.0
cpe:2.3:a:oracle:primavera_unifier:16.2:::::::*	n/a	n/a	16.2
cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*	n/a	n/a	2.4.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*	n/a	n/a	7.1
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*	n/a	n/a	9.2
cpe:2.3:a:oracle:banking_platform:2.4.1:::::::*	n/a	n/a	2.4.1
cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*	n/a	n/a	16.2
cpe:2.3:a:oracle:primavera_gateway:15.2:::::::*	n/a	n/a	15.2
cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*	n/a	n/a	2.5.0
cpe:2.3:a:oracle:banking_platform:2.6.0:::::::*	n/a	n/a	2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.1:::::::*	n/a	n/a	2.6.1
cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*	n/a	n/a	2.7.0
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*	n/a	n/a	2.7.1
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*	n/a	n/a	8.0.0
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*	n/a	n/a	8.1
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:::::::*	n/a	n/a	8.2.1
cpe:2.3:a:oracle:goldengate_stream_analytics::::::::	n/a	19.1.0.0.1	*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:::::::*	n/a	n/a	9.2
cpe:2.3:a:oracle:primavera_gateway:17.12:::::::*	n/a	n/a	17.12
cpe:2.3:a:oracle:primavera_unifier:16.1:::::::*	n/a	n/a	16.1
cpe:2.3:a:oracle:primavera_unifier::::::::	17.7 (including)	17.12 (including)	*
cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*	n/a	n/a	18.8
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*	n/a	n/a	17.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*	n/a	n/a	16.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*	n/a	n/a	17.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:::::::*	n/a	n/a	18.0
cpe:2.3:a:oracle:siebel_ui_framework::::::::	n/a	19.10 (including)	*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*	n/a	n/a	8.2
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:::::::*	n/a	n/a	10.0.1.3.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.2 (including)	8.0.8 (including)	*
cpe:2.3:a:oracle:primavera_gateway:18.8.0:::::::*	n/a	n/a	18.8.0
cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::	n/a	19.8 (including)	*
cpe:2.3:a:apple:xcode::::::::	n/a	13.3	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.0.0 (including)	2.6.7.3	*

External Links

NVD - CVE-2019-14379