CVE-2019-14893
CRITICALFasterxml Jackson-databind < 2.8.11.5 - Information Disclosure
Title source: ruleDescription
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2019-14893-jackson-databind-vulnerable
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2019-14893-jackson-databind-vulnerable
References (8)
Scores
CVSS v3
9.8
EPSS
0.0096
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
CWE-200
Status
published
Affected Products (5)
fasterxml/jackson-databind
< 2.8.11.5
netapp/oncommand_api_services
netapp/steelstore_cloud_integrated_storage
oracle/goldengate_stream_analytics
< 19.1.0.0.1
com.fasterxml.jackson.core/jackson-databind
< 2.9.10Maven
Timeline
Published
Mar 02, 2020
Tracked Since
Feb 18, 2026