CVE-2019-12384

Published: Jun 24, 2019Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Affected (10)

Products: Fasterxml: Jackson Databind · Debian: Debian Linux · Redhat: Enterprise Linux

1 product

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.0.0 to 2.6.7.3
Fasterxml Jackson Databind	From 2.7.0 to 2.7.9.6
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.4
Fasterxml Jackson Databind	From 2.9.0 to 2.9.9.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 7.4
Redhat Enterprise Linux	Version 7.5
Redhat Enterprise Linux	Version 7.6
Redhat Enterprise Linux	Version 7.7

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (92)

https://access.redhat.com/errata/RHSA-2019:1820

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2720

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2858

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2935

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2936

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2937

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2938

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2998

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3149

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3200

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3292

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3297

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3901

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:4352

Source: cve@mitre.org

Third Party Advisory

https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

Source: cve@mitre.org

Third Party Advisory

https://doyensec.com/research.html

Source: cve@mitre.org

Third Party Advisory

https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/

Source: cve@mitre.org

https://seclists.org/bugtraq/2019/Oct/6

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20190703-0002/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4542

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: cve@mitre.org

PatchThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:1820