9.8

CVE-2019-16943

EPSS 1.84%
Published 01.10.2019 17:15:10
Last modified 21.11.2024 04:31:23
Source cve@mitre.org
Teams watchlist Login
Open Login

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Affected products Warnungen 0 Metrics 3 CWE 1 References 29

Data is provided by the National Vulnerability Database (NVD)

Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.3

Fasterxml ≫ Jackson-databind Version >= 2.7.0 < 2.8.11.5

Fasterxml ≫ Jackson-databind Version >= 2.9.0 < 2.9.10.1

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version30

Fedoraproject ≫ Fedora Version31

Redhat ≫ Jboss Enterprise Application Platform Version7.2

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.2

Redhat ≫ Enterprise Linux Server Version8.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Enterprise Linux Server Version8.0

Oracle ≫ Banking Platform Version2.4.0

Oracle ≫ Banking Platform Version2.4.1

Oracle ≫ Banking Platform Version2.5.0

Oracle ≫ Banking Platform Version2.6.0

Oracle ≫ Banking Platform Version2.6.1

Oracle ≫ Banking Platform Version2.6.2

Oracle ≫ Banking Platform Version2.7.0

Oracle ≫ Banking Platform Version2.7.1

Oracle ≫ Banking Platform Version2.9.0

Oracle ≫ Communications Billing And Revenue Management Version7.5.0.23.0

Oracle ≫ Communications Billing And Revenue Management Version12.0.0.3.0

Oracle ≫ Communications Calendar Server Version8.0.0.2.0

Oracle ≫ Communications Calendar Server Version8.0.0.3.0

Oracle ≫ Communications Cloud Native Core Network Slice Selection Function Version1.2.1

Oracle ≫ Communications Evolved Communications Application Server Version7.1

Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.3.0

Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.4.0

Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version13.9.4.2.2

Oracle ≫ Goldengate Application Adapters Version19.1.0.0.0

Oracle ≫ Jd Edwards Enterpriseone Orchestrator Version9.2

Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2

Oracle ≫ Primavera Gateway Version >= 17.7 <= 17.12.6

Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.8

Oracle ≫ Primavera Gateway Version16.1

Oracle ≫ Primavera Gateway Version16.2

Oracle ≫ Primavera Gateway Version19.12.0

Oracle ≫ Retail Merchandising System Version15.0.3

Oracle ≫ Retail Merchandising System Version16.0.2

Oracle ≫ Retail Merchandising System Version16.0.3

Oracle ≫ Retail Sales Audit Version14.1

Oracle ≫ Siebel Engineering - Installer & Deployment Version <= 2.20.5

Oracle ≫ Trace File Analyzer Version12.2.0.1

Oracle ≫ Trace File Analyzer Version18c

Oracle ≫ Trace File Analyzer Version19c

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Oracle ≫ Webcenter Sites Version12.2.1.3.0

Oracle ≫ Webcenter Sites Version12.2.1.4.0

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Netapp ≫ Active Iq Unified Manager SwPlatformlinux Version >= 7.3

Netapp ≫ Active Iq Unified Manager SwPlatformwindows Version >= 7.3

Netapp ≫ Active Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5

Netapp ≫ Oncommand Api Services Version-

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Service Level Manager Version-

Netapp ≫ Steelstore Cloud Integrated Storage Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.84%	0.822

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

https://seclists.org/bugtraq/2019/Oct/6

Third Party Advisory

Mailing List

Issue Tracking

https://www.debian.org/security/2019/dsa-4542

Third Party Advisory

Mailing List

https://access.redhat.com/errata/RHSA-2020:0445

Third Party Advisory

https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E

https://access.redhat.com/errata/RHSA-2020:0159

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0160

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0161

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0164

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

https://github.com/FasterXML/jackson-databind/issues/2478

Patch

Third Party Advisory

https://security.netapp.com/advisory/ntap-20191017-0006/

Third Party Advisory

https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E

https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2019-16943

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16943

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16943

EUVD