#VU21470 Input validation error in Codehaus jackson


Published: 2019-10-01

Vulnerability identifier: #VU21470

Vulnerability risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-10202

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Codehaus jackson
Universal components / Libraries / Software for developers

Vendor: Codehaus

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to incorrect implementation of patch for Codehaus 1.9.x against insufficient data deserialization present in FasterXML jackson-databind. A remote attacker can bypass implemented protection measures and exploit known deserialization vulnerabilities in jackson-databind package.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Codehaus jackson: 1.9

External links
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Integration Designer
Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM UrbanCode Build
Multiple vulnerabilities in IBM UrbanCode Release
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Intelligent Operations Center
Multiple vulnerabilities in IBM Match 360
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM Voice Gateway