Main Vulnerability Database SB2019073015

SB2019073015 - Information disclosure in FasterXML jackson-databind

Published: July 30, 2019 Updated: September 16, 2019

Security Bulletin ID SB2019073015

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2019-14439)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
https://github.com/FasterXML/jackson-databind/issues/2389