#VU19933 Permissions, Privileges, and Access Controls in jackson-databind


Published: 2019-08-05

Vulnerability identifier: #VU19933

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-14379

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.9.1, 2.8.0 - 2.8.11.4, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.1.0 - 2.1.4, 2.0.0 - 2.0.4

Fixed software versions

CPE

External links
http://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
http://github.com/FasterXML/jackson-databind/issues/2387

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Security Verify Governance
IBM Log Analysis update for FasterXML jackson-databind
Multiple vulnerabilities in Dell Secure Connect Gateway
Multiple vulnerabilities in z/Transaction Processing Facility
Multiple vulnerabilities in IBM Process Mining
Multiple vulnerabilities in Apple Xcode
Multiple vulnerabilities in Red Hat Openshift Logging
Multiple vulnerabilities in Red Hat OpenShift Container Platform
Multiple vulnerabilities in Oracle Communications Diameter Signaling Router (DSR)