CVE-2019-16943

CRITICAL

jackson-databind 2.0.0-2.9.10 - Remote Code Execution via P6Spy Default Typing

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-16943. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains a partial copy of the Jackson Databind library but lacks any exploit code or technical analysis related to CVE-2019-16943. It appears to be a placeholder or incomplete project.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

The repository contains a partial copy of the Jackson Databind library but lacks any exploit code or technical analysis related to CVE-2019-16943. It appears to be a placeholder or incomplete project.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Jackson Databind (version not specified)

No auth needed

Prerequisites: None identified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

The repository contains a partial snapshot of the Jackson Databind library but lacks any exploit code or technical analysis specific to CVE-2019-16943. It includes only a subset of source files and a generic README with no vulnerability details.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Theoretical

Target: Jackson Databind (version not specified)

No auth needed

Prerequisites: None specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (26)

Core 26

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4542

Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Oct/6

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0164

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0159

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0160

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0161

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0445

Various Sources x_refsource_misc

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2020.html

Patch, Third Party Advisory x_refsource_misc

https://github.com/FasterXML/jackson-databind/issues/2478

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20191017-0006/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Scores

CVSS v3 9.8

EPSS 0.0184

EPSS Percentile 83.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (49)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.10.1Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

debian/debian_linux 10.0

fasterxml/jackson-databind 2.0.0 - 2.6.7.3

fedoraproject/fedora 30

fedoraproject/fedora 31

netapp/active_iq_unified_manager 7.3 (2 CPE variants)

netapp/active_iq_unified_manager 9.5

netapp/oncommand_api_services

... and 39 more

Published Oct 01, 2019

Tracked Since Feb 18, 2026