9.8
CVE-2019-16942
- EPSS 5.68%
- Veröffentlicht 01.10.2019 17:15:10
- Zuletzt bearbeitet 21.11.2024 04:31:23
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.3
Fasterxml ≫ Jackson-databind Version >= 2.8.0 < 2.8.11.5
Fasterxml ≫ Jackson-databind Version >= 2.9.0 < 2.9.10.1
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Fedoraproject ≫ Fedora Version30
Fedoraproject ≫ Fedora Version31
Redhat ≫ Jboss Enterprise Application Platform Version7.2.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Jboss Enterprise Application Platform Version7.3
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Netapp ≫ Active Iq Unified Manager SwPlatformlinux Version >= 7.3
Netapp ≫ Active Iq Unified Manager SwPlatformwindows Version >= 7.3
Netapp ≫ Active Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5
Netapp ≫ Oncommand Api Services Version-
Netapp ≫ Oncommand Workflow Automation Version-
Netapp ≫ Service Level Manager Version-
Netapp ≫ Steelstore Cloud Integrated Storage Version-
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.4.1
Oracle ≫ Banking Platform Version2.5.0
Oracle ≫ Banking Platform Version2.6.0
Oracle ≫ Banking Platform Version2.6.1
Oracle ≫ Banking Platform Version2.6.2
Oracle ≫ Banking Platform Version2.7.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Communications Billing And Revenue Management Version7.5.0.23.0
Oracle ≫ Communications Billing And Revenue Management Version12.0.0.3.0
Oracle ≫ Communications Calendar Server Version8.0.0.2.0
Oracle ≫ Communications Calendar Server Version8.0.0.3.0
Oracle ≫ Database Server Version12.2.0.1
Oracle ≫ Database Server Version18c
Oracle ≫ Database Server Version19c
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.3.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.4.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version13.9.4.2.2
Oracle ≫ Goldengate Application Adapters Version19.1.0.0.0
Oracle ≫ Jd Edwards Enterpriseone Orchestrator Version9.2
Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2
Oracle ≫ Primavera Gateway Version >= 17.12.0 <= 17.12.6
Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.8
Oracle ≫ Primavera Gateway Version19.12.0
Oracle ≫ Primavera Unifier Version >= 17.7 <= 17.12
Oracle ≫ Primavera Unifier Version16.1
Oracle ≫ Primavera Unifier Version16.2
Oracle ≫ Primavera Unifier Version18.8
Oracle ≫ Primavera Unifier Version19.12
Oracle ≫ Retail Merchandising System Version15.0.3
Oracle ≫ Retail Merchandising System Version16.0.2
Oracle ≫ Retail Merchandising System Version16.0.3
Oracle ≫ Retail Sales Audit Version14.1
Oracle ≫ Siebel Engineering - Installer & Deployment Version <= 2.20.5
Oracle ≫ Siebel Ui Framework Version <= 20.5
Oracle ≫ Siebel Ui Framework Version20.6
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Oracle ≫ Webcenter Sites Version12.2.1.3.0
Oracle ≫ Webcenter Sites Version12.2.1.4.0
Oracle ≫ Weblogic Server Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.68% | 0.92 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://www.oracle.com/security-alerts/cpujan2020.html
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://access.redhat.com/errata/RHSA-2019:3901
https://seclists.org/bugtraq/2019/Oct/6
https://www.debian.org/security/2019/dsa-4542
https://access.redhat.com/errata/RHSA-2020:0445
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://github.com/FasterXML/jackson-databind/issues/2478
https://issues.apache.org/jira/browse/GEODE-7255
https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3E
https://security.netapp.com/advisory/ntap-20191017-0006/