CVE-2019-14540

CRITICAL

FasterXML jackson-databind <2.9.10 - Info Disclosure

Title source: llm

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Exploits (3)

nomisec WORKING POC 21 stars

by LeadroyaL · poc

https://github.com/LeadroyaL/cve-2019-14540-exploit

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-14540-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-14540-jackson-databind-vulnerable

View Code ZIP pw:eip

References (35)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3200

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0159

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0160

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0161

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0164

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0445

[Release Notes, Third Party Advisory] https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2410

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2449

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Oct/6

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20191004-0002/

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4542

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2020.html

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

... and 15 more

Scores

CVSS v3 9.8

EPSS 0.0629

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (45)

fasterxml/jackson-databind < 2.6.7.3

netapp/oncommand_api_services

netapp/oncommand_workflow_automation

netapp/steelstore_cloud_integrated_storage

fedoraproject/fedora

debian/debian_linux

redhat/jboss_enterprise_application_platform

oracle/banking_platform

... and 30 more

Timeline

Published Sep 15, 2019

Tracked Since Feb 18, 2026