CVE-2019-14893
CRITICALFasterxml Jackson-databind < 2.8.11.5 - Information Disclosure
Title source: ruleDescription
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2019-14893-jackson-databind-vulnerable
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2019-14893-jackson-databind-vulnerable
References (8)
Scores
CVSS v3
9.8
EPSS
0.0096
EPSS Percentile
76.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-200
Status
published
Products (5)
com.fasterxml.jackson.core/jackson-databind
2.9.0 - 2.9.10Maven
fasterxml/jackson-databind
2.8.0 - 2.8.11.5
netapp/oncommand_api_services
netapp/steelstore_cloud_integrated_storage
oracle/goldengate_stream_analytics
< 19.1.0.0.1
Published
Mar 02, 2020
Tracked Since
Feb 18, 2026