CVE-2019-14893

Published: Mar 2, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Affected (5)

Products: Fasterxml: Jackson Databind · Netapp: Oncommand Api Services, Steelstore Cloud Integrated Storage · Oracle: Goldengate Stream Analytics

1 product

Jackson Databind

2 products

Oncommand Api Services

Steelstore Cloud Integrated Storage

1 product

Goldengate Stream Analytics

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.5
Fasterxml Jackson Databind	From 2.9.0 to 2.9.10

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Api Services	All versions
Netapp Steelstore Cloud Integrated Storage	All versions

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Goldengate Stream Analytics	Before 19.1.0.0.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (16)

https://access.redhat.com/errata/RHSA-2020:0729

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2469

Source: secalert@redhat.com

Third Party Advisory

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Source: secalert@redhat.com

https://security.netapp.com/advisory/ntap-20200327-0006/

Source: secalert@redhat.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Source: secalert@redhat.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0729

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2469

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20200327-0006/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.