CyberSec.Space Logo
Back to CVE Browser

CVE-2019-14892

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1210%
EPSS Percentile4.65th
PublishedMar 2, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Affected Platforms (CPE)

πŸ“¦
Fasterxml

Jackson Databind

>= 2.0.0 and < 2.6.7.3
πŸ“¦
Fasterxml

Jackson Databind

>= 2.7.0 and < 2.8.11.5
πŸ“¦
Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.10
πŸ“¦
Redhat

Decision Manager

= 7.0
πŸ“¦
Redhat

Jboss Data Grid

All versions
πŸ“¦
Redhat

Jboss Data Grid

= 7.0.0
πŸ“¦
Redhat

Jboss Enterprise Application Platform

= 7.0
πŸ“¦
Redhat

Jboss Fuse

= 7.0.0
πŸ“¦
Redhat

Openshift Container Platform

= 4.3
πŸ“¦
Redhat

Process Automation

= 7.0
πŸ“¦
Apache

Geode

= 1.12.0

References & Advisories

πŸ”— https://access.redhat.com/errata/RHSA-2020:0729
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892
πŸ”— https://github.com/FasterXML/jackson-databind/issues/2462
πŸ”— https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
πŸ”— https://security.netapp.com/advisory/ntap-20200904-0005/
πŸ”— https://access.redhat.com/errata/RHSA-2020:0729
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892

Related Vulnerabilities

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...

CVE-2017-174859.8

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incom...

CVE-2018-74899.8

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code executi...

CVE-2017-150959.8

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenti...