A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2020:0729 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893 | Issue Tracking Patch Third Party Advisory |
https://github.com/FasterXML/jackson-databind/issues/2469 | Third Party Advisory |
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E | |
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E | |
https://security.netapp.com/advisory/ntap-20200327-0006/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:05
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
16 Mar 2021, 17:29
Type | Values Removed | Values Added |
---|---|---|
CPE |
22 Feb 2021, 21:39
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20200327-0006/ - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2020:0729 - Third Party Advisory | |
CPE | cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:* |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* |
Information
Published : 2020-03-02 21:15
Updated : 2023-12-10 13:13
NVD link : CVE-2019-14893
Mitre link : CVE-2019-14893
CVE.ORG link : CVE-2019-14893
JSON object : View
Products Affected
netapp
- oncommand_api_services
- steelstore_cloud_integrated_storage
oracle
- goldengate_stream_analytics
fasterxml
- jackson-databind