CVE-2019-16943

CRITICAL

Fasterxml Jackson-databind < 2.6.7.3 - Insecure Deserialization

Title source: rule

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

References (26)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

[Mailing List, Third Party Advisory] https://www.debian.org/security/2019/dsa-4542

[Issue Tracking, Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Oct/6

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

[Mailing List] https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

[Mailing List] https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0164

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0159

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0160

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0161

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0445

[Various Sources] https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

... and 6 more

Scores

CVSS v3 9.8

EPSS 0.0184

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (49)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.10.1Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

debian/debian_linux 10.0

fasterxml/jackson-databind 2.0.0 - 2.6.7.3

fedoraproject/fedora 30

fedoraproject/fedora 31

netapp/active_iq_unified_manager 7.3 (2 CPE variants)

netapp/active_iq_unified_manager 9.5

netapp/oncommand_api_services

... and 39 more

Published Oct 01, 2019

Tracked Since Feb 18, 2026