A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
User Interaction None
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
AV:N/AC:L/Au:N/C:P/I:P/A:P
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Fasterxml |
|
Netapp |
|
Oracle |
|
Redhat |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP-CD 19 Tech Preview | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform_cd:19 | RHSA-2020:2333 | 2020-05-28T00:00:00Z |
Red Hat Data Grid 7.3.5 | |||
jackson-databind | cpe:/a:redhat:jboss_data_grid:7.3 | RHSA-2020:0729 | 2020-03-05T00:00:00Z |
Red Hat Decision Manager 7 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_brms_platform:7.7 | RHSA-2020:0899 | 2020-03-18T00:00:00Z |
Red Hat Fuse 7.7.0 | |||
jackson-databind | cpe:/a:redhat:jboss_fuse:7 | RHSA-2020:3192 | 2020-07-28T00:00:00Z |
Red Hat JBoss EAP 7.2 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.2 | RHSA-2020:0164 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2020:0159 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2020:0160 | 2020-01-21T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 | |||
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-jaxrs-providers-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-http-client-0:1.0.18-2.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2020:0161 | 2020-01-21T00:00:00Z |
Red Hat Process Automation 7 | |||
jackson-databind | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.7 | RHSA-2020:0895 | 2020-03-18T00:00:00Z |
Red Hat Single Sign-On 7.3 | |||
jackson-databind | cpe:/a:redhat:jboss_single_sign_on:7.3 | RHSA-2020:0445 | 2020-02-06T00:00:00Z |
Text-Only RHOAR | |||
cpe:/a:redhat:openshift_application_runtimes:1.0 | RHSA-2020:2067 | 2020-05-18T00:00:00Z |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2020-03-02T20:11:32
Updated: 2024-08-05T00:26:39.152Z
Reserved: 2019-08-10T00:00:00
Link: CVE-2019-14893
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-03-02T21:15:17.520
Modified: 2024-11-21T04:27:37.670
Link: CVE-2019-14893
Redhat