CVE-2019-14892

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH

Description

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.6.7 (including)2.6.7.3*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.5*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.10*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*n/an/a7.0
cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*n/an/a7.0
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*n/an/a7.0.0
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*n/an/a7.0
cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*n/an/a7.0.0
cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:*n/an/a4.3
cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*n/an/a-
cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*n/an/a1.12.0
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.0.0 (including)2.6.7.3*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.8.11.5*

External Links