TROYANOSYVIRUS
Retour aux CVEs

CVE-2019-14893

CRITICAL
9.8

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Details CVE

Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie3/2/2020
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0

Produits affectes

fasterxml:jackson-databindnetapp:oncommand_api_servicesnetapp:steelstore_cloud_integrated_storageoracle:goldengate_stream_analytics

Faiblesses (CWE)

CWE-200CWE-502CWE-502

References

https://access.redhat.com/errata/RHSA-2020:0729(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893(secalert@redhat.com)
https://github.com/FasterXML/jackson-databind/issues/2469(secalert@redhat.com)
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E(secalert@redhat.com)
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E(secalert@redhat.com)
https://security.netapp.com/advisory/ntap-20200327-0006/(secalert@redhat.com)
https://www.oracle.com/security-alerts/cpujul2020.html(secalert@redhat.com)
https://www.oracle.com/security-alerts/cpuoct2020.html(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2020:0729(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FasterXML/jackson-databind/issues/2469(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20200327-0006/(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2020.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.