Lucene search

MitreCVE-2019-17531

HistoryOct 12, 2019 - 9:15 p.m.

CVE-2019-17531

2019-10-1221:15:08

CWE-502

mitre

web.nvd.nist.gov

297

cve-2019-17531

nvd

polymorphic typing

fasterxml

jackson-databind

default typing

json endpoint

apache-log4j-extra

jndi service

security issue

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.007

Percentile

80.2%

JSON

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Affected configurations

Nvd

Node

fasterxmljackson-databindRange2.0.0–2.6.7.3

fasterxmljackson-databindRange2.7.0–2.8.11.5

fasterxmljackson-databindRange2.9.0–2.9.10.1

Node

debiandebian_linuxMatch8.0

Node

redhatjboss_enterprise_application_platformMatch7.2

redhatjboss_enterprise_application_platformMatch7.3

AND

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_serverMatch8.0

Node

oraclebanking_platformMatch2.4.0

oraclebanking_platformMatch2.4.1

oraclebanking_platformMatch2.5.0

oraclebanking_platformMatch2.6.0

oraclebanking_platformMatch2.6.1

oraclebanking_platformMatch2.6.2

oraclebanking_platformMatch2.7.0

oraclebanking_platformMatch2.7.1

oraclebanking_platformMatch2.9.0

oraclecommunications_billing_and_revenue_managementMatch7.5.0.23.0

oraclecommunications_billing_and_revenue_managementMatch12.0.0.3.0

oraclecommunications_calendar_serverMatch8.0.0.2.0

oraclecommunications_calendar_serverMatch8.0.0.3.0

oraclecommunications_cloud_native_core_network_slice_selection_functionMatch1.2.1

oraclecommunications_evolved_communications_application_serverMatch7.1

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch12.2.1.3.0

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch12.2.1.4.0

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch13.9.4.2.2

oraclegoldengate_application_adaptersMatch19.1.0.0.0

oraclejd_edwards_enterpriseone_orchestratorMatch9.2

oraclejd_edwards_enterpriseone_toolsMatch9.2

oracleprimavera_gatewayRange17.7–17.12.6

oracleprimavera_gatewayRange18.8.0–18.8.8

oracleprimavera_gatewayMatch16.1

oracleprimavera_gatewayMatch16.2

oracleprimavera_gatewayMatch19.12.0

oracleretail_merchandising_systemMatch15.0.3

oracleretail_merchandising_systemMatch16.0.2

oracleretail_merchandising_systemMatch16.0.3

oracleretail_sales_auditMatch14.1

oraclesiebel_engineering_-_installer_\&_deploymentRange≤2.20.5

oracletrace_file_analyzerMatch12.2.0.1

oracletrace_file_analyzerMatch18c

oracletrace_file_analyzerMatch19c

oraclewebcenter_portalMatch12.2.1.3.0

oraclewebcenter_portalMatch12.2.1.4.0

oraclewebcenter_sitesMatch12.2.1.3.0

oraclewebcenter_sitesMatch12.2.1.4.0

oracleweblogic_serverMatch12.2.1.3.0

oracleweblogic_serverMatch12.2.1.4.0

Node

netapponcommand_workflow_automationMatch-

netappsteelstore_cloud_integrated_storageMatch-

VendorProductVersionCPE
fasterxmljackson-databind*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.2cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.3cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
redhatenterprise_linux_server6.0cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
redhatenterprise_linux_server7.0cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
redhatenterprise_linux_server8.0cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*
oraclebanking_platform2.4.0cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
oraclebanking_platform2.4.1cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
oraclebanking_platform2.5.0cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fasterxml	jackson-databind	*	cpe:2.3:a:fasterxml:jackson-databind::::::::
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
redhat	jboss_enterprise_application_platform	7.2	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
redhat	jboss_enterprise_application_platform	7.3	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
redhat	enterprise_linux_server	6.0	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_server	8.0	cpe:2.3:o:redhat:enterprise_linux_server:8.0:::::::*
oracle	banking_platform	2.4.0	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
oracle	banking_platform	2.4.1	cpe:2.3:a:oracle:banking_platform:2.4.1:::::::*
oracle	banking_platform	2.5.0	cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*