CVE-2019-16943

CRITICAL

Fasterxml Jackson-databind < 2.6.7.3 - Insecure Deserialization

Title source: rule

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Exploits (2)

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-16943-jackson-databind-vulnerable

View Code ZIP pw:eip

References (26)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0160

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0161

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0164

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0159

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0445

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2478

[Mailing List] https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

[Various Sources] https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

[Issue Tracking, Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Oct/6

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20191017-0006/

[Mailing List, Third Party Advisory] https://www.debian.org/security/2019/dsa-4542

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2020.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

... and 6 more

Scores

CVSS v3 9.8

EPSS 0.0184

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (50)

fasterxml/jackson-databind < 2.6.7.3

debian/debian_linux

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

redhat/jboss_enterprise_application_platform

redhat/jboss_enterprise_application_platform

oracle/banking_platform

oracle/banking_platform

oracle/banking_platform

oracle/banking_platform

oracle/banking_platform

oracle/banking_platform

oracle/banking_platform

... and 35 more

Timeline

Published Oct 01, 2019

Tracked Since Feb 18, 2026