CVE-2019-14892
EUVD-2020-042002.03.2020, 17:15
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| fasterxml | jackson-databind | 2.0.0 ≤ 𝑥 < 2.6.7.3 |
| fasterxml | jackson-databind | 2.7.0 ≤ 𝑥 < 2.8.11.5 |
| fasterxml | jackson-databind | 2.9.0 ≤ 𝑥 < 2.9.10 |
| redhat | decision_manager | 7.0 |
| redhat | jboss_data_grid | - |
| redhat | jboss_data_grid | 7.0.0 |
| redhat | jboss_enterprise_application_platform | 7.0 |
| redhat | jboss_fuse | 7.0.0 |
| redhat | openshift_container_platform | 4.3 |
| redhat | process_automation | 7.0 |
| apache | geode | 1.12.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
References