CVE-2019-14892
on github
Published
Severity
CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH
Description
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892
- https://github.com/FasterXML/jackson-databind/issues/2462
- https://access.redhat.com/errata/RHSA-2020:0729
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200904-0005/
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
Configurations
CPE23 | Version Start | Version End | Exact Version |
---|---|---|---|
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.6.7 (including) | 2.6.7.3 | * |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.8.0 (including) | 2.8.11.5 | * |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.9.0 (including) | 2.9.10 | * |
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:* | n/a | n/a | 7.0 |
cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:* | n/a | n/a | 7.0 |
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:* | n/a | n/a | 7.0.0 |
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:* | n/a | n/a | 7.0 |
cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:* | n/a | n/a | 7.0.0 |
cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:* | n/a | n/a | 4.3 |
cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:* | n/a | n/a | - |
cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:* | n/a | n/a | 1.12.0 |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.6.7.3 | * |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.8.11.5 | * |