CVE-2019-14893

CRITICAL

FasterXML jackson-databind < 2.9.10 - Remote Code Execution via Xalan JNDI Gadget Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-14893. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2019-14893, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-14893-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2019-14893, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Java environment · vulnerable Jackson Databind version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-14893-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2019-14893, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Vulnerable version of Jackson Databind (2.9.0) · Ability to send crafted JSON payloads to an application using Jackson Databind

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0729

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893

Third Party Advisory x_refsource_misc

https://github.com/FasterXML/jackson-databind/issues/2469

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20200327-0006/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Scores

CVSS v3 9.8

EPSS 0.0096

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502 CWE-200

Status published

Products (5)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.10Maven

fasterxml/jackson-databind 2.8.0 - 2.8.11.5

netapp/oncommand_api_services

netapp/steelstore_cloud_integrated_storage

oracle/goldengate_stream_analytics < 19.1.0.0.1

Published Mar 02, 2020

Tracked Since Feb 18, 2026