CVE-2019-14892

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.1210%

EPSS Percentile4.65th

Published2020年3月2日

Last Modified2024年11月21日

Vulnerability Description

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Affected Platforms (CPE)

📦

Fasterxml

Jackson Databind

>= 2.0.0 and < 2.6.7.3

📦

Fasterxml

Jackson Databind

>= 2.7.0 and < 2.8.11.5

📦

Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.10

📦

Redhat

Decision Manager

= 7.0

📦

Redhat

Jboss Data Grid

All versions

📦

Redhat

Jboss Data Grid

= 7.0.0

📦

Redhat

Jboss Enterprise Application Platform

= 7.0

📦

Redhat

Jboss Fuse

= 7.0.0

📦

Redhat

Openshift Container Platform

= 4.3

📦

Redhat

Process Automation

= 7.0

📦

Apache

Geode

= 1.12.0

References & Advisories

🔗 https://access.redhat.com/errata/RHSA-2020:0729

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892

🔗 https://github.com/FasterXML/jackson-databind/issues/2462

🔗 https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

🔗 https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

🔗 https://security.netapp.com/advisory/ntap-20200904-0005/

🔗 https://access.redhat.com/errata/RHSA-2020:0729

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892

Vulnerability Description

Affected Platforms (CPE)

Jackson Databind

Jackson Databind

Jackson Databind

Decision Manager

Jboss Data Grid

Jboss Data Grid

Jboss Enterprise Application Platform

Jboss Fuse

Openshift Container Platform

Process Automation

Geode

References & Advisories

関連する脆弱性情報