9.8
CVE-2019-17531
- EPSS 5.33%
- Veröffentlicht 12.10.2019 21:15:08
- Zuletzt bearbeitet 21.11.2024 04:32:27
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.3
Fasterxml ≫ Jackson-databind Version >= 2.7.0 < 2.8.11.5
Fasterxml ≫ Jackson-databind Version >= 2.9.0 < 2.9.10.1
Debian ≫ Debian Linux Version8.0
Redhat ≫ Jboss Enterprise Application Platform Version7.2
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Jboss Enterprise Application Platform Version7.3
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.4.1
Oracle ≫ Banking Platform Version2.5.0
Oracle ≫ Banking Platform Version2.6.0
Oracle ≫ Banking Platform Version2.6.1
Oracle ≫ Banking Platform Version2.6.2
Oracle ≫ Banking Platform Version2.7.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Communications Billing And Revenue Management Version7.5.0.23.0
Oracle ≫ Communications Billing And Revenue Management Version12.0.0.3.0
Oracle ≫ Communications Calendar Server Version8.0.0.2.0
Oracle ≫ Communications Calendar Server Version8.0.0.3.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.3.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.4.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version13.9.4.2.2
Oracle ≫ Goldengate Application Adapters Version19.1.0.0.0
Oracle ≫ Jd Edwards Enterpriseone Orchestrator Version9.2
Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2
Oracle ≫ Primavera Gateway Version >= 17.7 <= 17.12.6
Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.8
Oracle ≫ Primavera Gateway Version16.1
Oracle ≫ Primavera Gateway Version16.2
Oracle ≫ Primavera Gateway Version19.12.0
Oracle ≫ Retail Merchandising System Version15.0.3
Oracle ≫ Retail Merchandising System Version16.0.2
Oracle ≫ Retail Merchandising System Version16.0.3
Oracle ≫ Retail Sales Audit Version14.1
Oracle ≫ Siebel Engineering - Installer & Deployment Version <= 2.20.5
Oracle ≫ Trace File Analyzer Version12.2.0.1
Oracle ≫ Trace File Analyzer Version18c
Oracle ≫ Trace File Analyzer Version19c
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Oracle ≫ Webcenter Sites Version12.2.1.3.0
Oracle ≫ Webcenter Sites Version12.2.1.4.0
Oracle ≫ Weblogic Server Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.4.0
Netapp ≫ Oncommand Workflow Automation Version-
Netapp ≫ Steelstore Cloud Integrated Storage Version-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.33% | 0.916 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://access.redhat.com/errata/RHSA-2020:0445
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0164
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
https://access.redhat.com/errata/RHSA-2019:4192
https://github.com/FasterXML/jackson-databind/issues/2498
https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3E
https://security.netapp.com/advisory/ntap-20191024-0005/