Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2019-12384
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible..
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 4.3/10
- Exploit Score
- 8.6/10
- Access Vector
- Network
- Access Complexity
- Medium
- Authentication Required
- None
- Impact Score
- 2.9/10
- Confidentiality Impact
- Partial
- Availability Impact
- None
- Integrity Impact
- None
CVSSv3.1 Score
- Severity
- Medium
- Base Score
- 5.9/10
- Exploit Score
- 2.2/10
- Access Vector
- Network
- Access Complexity
- High
- Privileges Required
- None
- Impact Score
- 3.6/10
- Confidentiality Impact
- High
- Availability Impact
- None
- Integrity Impact
- None
- Scope
- Unchanged
- User Interaction
- None
Products Affected
CPE | Affected | Vulnerable | Excluding | Edit |
---|---|---|---|---|
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
Yes
|
2.9.0 | 2.9.9.1 | |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
Yes
|
2.7.0 | 2.7.9.6 | |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
Yes
|
2.8.0 | 2.8.11.4 | |
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* |
Yes
|
2.0.0 | 2.6.7.3 | |
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:* |
Yes
|
- | - |
References
- https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
- https://doyensec.com/research.html
- https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad
- https://security.netapp.com/advisory/ntap-20190703-0002/
- https://access.redhat.com/errata/RHSA-2019:1820
- https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
- https://access.redhat.com/errata/RHSA-2019:2720
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:2937
- https://access.redhat.com/errata/RHSA-2019:2936
- https://access.redhat.com/errata/RHSA-2019:2935
- https://access.redhat.com/errata/RHSA-2019:2938
- https://www.debian.org/security/2019/dsa-4542
- https://seclists.org/bugtraq/2019/Oct/6
- https://access.redhat.com/errata/RHSA-2019:2998
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3292
- https://access.redhat.com/errata/RHSA-2019:3297
- https://access.redhat.com/errata/RHSA-2019:3200
- https://access.redhat.com/errata/RHSA-2019:3901
- https://access.redhat.com/errata/RHSA-2019:4352
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0
- https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d
- https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000
- https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de1359
- https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa67
- https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990
- https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4
- https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c
- https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org
- https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org
- https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f08
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e7639
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6c