9.8
CVE-2019-17531
- EPSS 1.19%
- Published 12.10.2019 21:15:08
- Last modified 21.11.2024 04:32:27
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Data is provided by the National Vulnerability Database (NVD)
Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.3
Fasterxml ≫ Jackson-databind Version >= 2.7.0 < 2.8.11.5
Fasterxml ≫ Jackson-databind Version >= 2.9.0 < 2.9.10.1
Debian ≫ Debian Linux Version8.0
Redhat ≫ Jboss Enterprise Application Platform Version7.2
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Jboss Enterprise Application Platform Version7.3
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Version8.0
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.4.1
Oracle ≫ Banking Platform Version2.5.0
Oracle ≫ Banking Platform Version2.6.0
Oracle ≫ Banking Platform Version2.6.1
Oracle ≫ Banking Platform Version2.6.2
Oracle ≫ Banking Platform Version2.7.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Communications Billing And Revenue Management Version7.5.0.23.0
Oracle ≫ Communications Billing And Revenue Management Version12.0.0.3.0
Oracle ≫ Communications Calendar Server Version8.0.0.2.0
Oracle ≫ Communications Calendar Server Version8.0.0.3.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.3.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version12.2.1.4.0
Oracle ≫ Global Lifecycle Management Nextgen Oui Framework Version13.9.4.2.2
Oracle ≫ Goldengate Application Adapters Version19.1.0.0.0
Oracle ≫ Jd Edwards Enterpriseone Orchestrator Version9.2
Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2
Oracle ≫ Primavera Gateway Version >= 17.7 <= 17.12.6
Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.8
Oracle ≫ Primavera Gateway Version16.1
Oracle ≫ Primavera Gateway Version16.2
Oracle ≫ Primavera Gateway Version19.12.0
Oracle ≫ Retail Merchandising System Version15.0.3
Oracle ≫ Retail Merchandising System Version16.0.2
Oracle ≫ Retail Merchandising System Version16.0.3
Oracle ≫ Retail Sales Audit Version14.1
Oracle ≫ Siebel Engineering - Installer & Deployment Version <= 2.20.5
Oracle ≫ Trace File Analyzer Version12.2.0.1
Oracle ≫ Trace File Analyzer Version18c
Oracle ≫ Trace File Analyzer Version19c
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Oracle ≫ Webcenter Sites Version12.2.1.3.0
Oracle ≫ Webcenter Sites Version12.2.1.4.0
Oracle ≫ Weblogic Server Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.4.0
Netapp ≫ Oncommand Workflow Automation Version-
Netapp ≫ Steelstore Cloud Integrated Storage Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.19% | 0.78 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.