CVE-2019-14439

FasterXML/jackson-databind

on github

Published

July 30, 2019

Severity

CVSS v3:

7.5 HIGH

CVSS v2:

5 MEDIUM

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

References

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.7.0 (including)	2.7.9.5 (including)	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.8.0 (including)	2.8.11.3 (including)	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.9.0 (including)	2.9.9.2	*
cpe:2.3:o:debian:debian_linux:8.0:::::::*	n/a	n/a	8.0
cpe:2.3:o:debian:debian_linux:9.0:::::::*	n/a	n/a	9.0
cpe:2.3:o:debian:debian_linux:10.0:::::::*	n/a	n/a	10.0
cpe:2.3:o:fedoraproject:fedora:29:::::::*	n/a	n/a	29
cpe:2.3:o:fedoraproject:fedora:30:::::::*	n/a	n/a	30
cpe:2.3:a:apache:drill:1.16.0:::::::*	n/a	n/a	1.16.0
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:::::middleware::	n/a	n/a	1.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*	n/a	n/a	15.0
cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*	n/a	n/a	2.4.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*	n/a	n/a	7.1
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*	n/a	n/a	9.2
cpe:2.3:a:oracle:banking_platform:2.4.1:::::::*	n/a	n/a	2.4.1
cpe:2.3:a:oracle:primavera_gateway:16.1:::::::*	n/a	n/a	16.1
cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*	n/a	n/a	16.2
cpe:2.3:a:oracle:primavera_gateway:15.2:::::::*	n/a	n/a	15.2
cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*	n/a	n/a	2.5.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*	n/a	n/a	16.0
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:::::::*	n/a	n/a	9.2
cpe:2.3:a:oracle:banking_platform:2.6.0:::::::*	n/a	n/a	2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.1:::::::*	n/a	n/a	2.6.1
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*	n/a	n/a	17.0
cpe:2.3:a:oracle:siebel_ui_framework::::::::	n/a	19.10 (including)	*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*	n/a	n/a	17.0
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:::::::*	n/a	n/a	18.0
cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::	n/a	11.2.0.3.23	*
cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::	12.2.0.1.0 (including)	12.2.0.1.19	*
cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::	13.9.4.0.0 (including)	13.9.4.2.1	*
cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*	n/a	n/a	2.7.0
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*	n/a	n/a	2.7.1
cpe:2.3:a:oracle:goldengate_stream_analytics::::::::	n/a	19.1.0.0.1	*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:::::::*	n/a	n/a	8.2.1
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*	n/a	n/a	8.0.0
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*	n/a	n/a	8.1
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*	n/a	n/a	8.2
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.2 (including)	8.0.8 (including)	*
cpe:2.3:a:oracle:primavera_gateway::::::::	17.7 (including)	17.12 (including)	*
cpe:2.3:a:oracle:primavera_gateway:18.8.0:::::::*	n/a	n/a	18.8.0
cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::	n/a	19.8 (including)	*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:::::::*	n/a	n/a	10.0.1.3.0
cpe:2.3:a:oracle:global_lifecycle_management_opatch:13.9.4.2.1:::::::*	n/a	n/a	13.9.4.2.1
cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:::::::*	n/a	n/a	11.2.0.3.23
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.7.0 (including)	2.7.9.6	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.8.0 (including)	2.8.11.4	*
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.0.0 (including)	2.6.7.3	*

External Links

NVD - CVE-2019-14439