Exploitation Summary
EIP tracks 1 public exploit for CVE-2019-10172. PoCs published by rusakovichma.
AI-analyzed exploit summary This repository demonstrates CVE-2019-10172, an XXE vulnerability in Jackson's DOMDeserializer. It includes vulnerable and secure implementations, along with test cases that show the exploit (XXE attack) and mitigation (secure processing).
Description
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Exploits (1)
nomisec
WORKING POC
1 stars
by rusakovichma · poc
https://github.com/rusakovichma/CVE-2019-10172
This repository demonstrates CVE-2019-10172, an XXE vulnerability in Jackson's DOMDeserializer. It includes vulnerable and secure implementations, along with test cases that show the exploit (XXE attack) and mitigation (secure processing).
Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target:
Jackson (com.codehaus.jackson) versions with vulnerable DOMDeserializer
No auth needed
Prerequisites:
Application using vulnerable Jackson library for XML deserialization
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (37)
Core 37
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0056
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-611
Status
published
Products (7)
apache/spark
3.0.1
debian/debian_linux
8.0
debian/debian_linux
9.0
fasterxml/jackson-mapper-asl
1.9.0 - 1.9.13
org.codehaus.jackson/jackson-mapper-asl
0Maven
redhat/jboss_enterprise_application_platform
7.0
redhat/jboss_fuse
7.0.0
Published
Nov 18, 2019
Tracked Since
Feb 18, 2026