#VU19941 Information disclosure


Published: 2019-08-06

Vulnerability identifier: #VU19941

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.8, 2.8.0 - 2.8.11.4, 2.7.0 - 2.7.9.6, 2.6.0 - 2.6.8, 2.5.0 - 2.5.5, 2.4.0 - 2.4.6.1, 2.3.0 - 2.3.5, 2.1.0 - 2.1.4, 2.0.0 - 2.0.4


CPE

External links
http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
http://github.com/FasterXML/jackson-databind/issues/2326
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
http://lists.debian.org/debian-lts-announce/2019/05/msg00030.html
http://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability