FLAT-O32FA – Vulnerability | Fluid Attacks Database

Database

Description

Deserialization of untrusted data in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	jackson-databind	>=0 <2.9.9.3-1	2.9.9.3-1
debian 12	jackson-databind	>=0 <2.9.9.3-1	2.9.9.3-1
debian 13	jackson-databind	>=0 <2.9.9.3-1	2.9.9.3-1
maven	com.fasterxml.jackson.core:jackson-databind	>=2.9.0 <2.9.9.2 \|\| >=2.8.0 <2.8.11.4 \|\| >=2.7.0 <2.7.9.6 \|\| >=0 <2.6.7.3	2.9.9.2, 2.8.11.4, 2.7.9.6, 2.6.7.3
debian 14	jackson-databind	>=0 <2.9.9.3-1	2.9.9.3-1

Aliases

1. CVE-2019-144392. NVD-2019-144393. OSV-DEBIAN-2019-144394. OSV-2019-144395. GCVE-2019-144396. SECURITY-TRACKER-CVE-2019-144397. lists.debian.org8. access.redhat.com

References

1. https://github.com/jas502n/CVE-2019-144392. https://github.com/FasterXML/jackson-databind/issues/23893. https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b4. https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E5. https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E6. https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E7. https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E8. https://lists.fedoraproject.org/archives/list/[email protected]/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL9. https://lists.fedoraproject.org/archives/list/[email protected]/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B54410. https://seclists.org/bugtraq/2019/Oct/611. https://security.netapp.com/advisory/ntap-20190814-000112. https://www.debian.org/security/2019/dsa-454213. https://www.oracle.com/security-alerts/cpuapr2020.html14. https://www.oracle.com/security-alerts/cpujan2020.html15. https://www.oracle.com/security-alerts/cpujul2020.html16. https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html17. https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E18. https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E19. https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E20. https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E21. https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E22. https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E23. https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E24. https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E25. https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E26. https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E27. https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E28. https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2