CVE-2019-12384

MEDIUM

FasterXML jackson-databind <2.9.9.1 - Deserialization

Title source: llm

Description

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Exploits (3)

nomisec WORKING POC 102 stars

by jas502n · poc

https://github.com/jas502n/CVE-2019-12384

View Code ZIP pw:eip

nomisec WORKING POC 21 stars

by MagicZer0 · poc

https://github.com/MagicZer0/Jackson_RCE-CVE-2019-12384

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-12384-jackson-databind-vulnerable

View Code ZIP pw:eip

References (45)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1820

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2720

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2858

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2935

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2936

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2937

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2938

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2998

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3149

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3200

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3292

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3297

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3901

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:4352

[Third Party Advisory] https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

[Third Party Advisory] https://doyensec.com/research.html

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad

[Mailing List] https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E

... and 25 more

Scores

CVSS v3 5.9

EPSS 0.5168

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-502

Status published

Affected Products (8)

fasterxml/jackson-databind < 2.6.7.3

debian/debian_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

com.fasterxml.jackson.core/jackson-databind < 2.9.9.1Maven

Timeline

Published Jun 24, 2019

Tracked Since Feb 18, 2026