CVE-2019-12814

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Database specific

{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "8.0"
                }
            ]
        }
    ]
}

References

Affected packages

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type

GIT

Repo

https://github.com/fasterxml/jackson-databind

Events

Introduced

e8df0987e3034d102ee6d704d30a05a2e3ac7089

Fixed

ec1adf8c72625fd51b30105afad7464c4332d542

Introduced

50791cc7856376949287e0be3e96147665ab8f68

Fixed

97986cb157d9d1da1256b24ea01b6c9f03b736dd

Introduced

81929fad84189ce59ef82e7a6d0df795eb0c7cdb

Fixed

e013e0f1279b623257d2f0d3ac66b7355db9561d

Introduced

e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8

Fixed

bf93aeb39ee9b1ea1ac4e1625e7d33377d1007f5

Database specific

{
    "cpe": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.6.7.3"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.9.6"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.11.4"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.9.2"
        }
    ]
}

Affected versions

2.*

2.2.0c

2.6.0-rc3b

jackson-databind-2.*

jackson-databind-2.0.0

jackson-databind-2.0.1

jackson-databind-2.0.2

jackson-databind-2.1.0

jackson-databind-2.1.1

jackson-databind-2.2.0

jackson-databind-2.2.1

jackson-databind-2.2.2

jackson-databind-2.3.0

jackson-databind-2.3.0-rc1

jackson-databind-2.3.1

jackson-databind-2.4.0

jackson-databind-2.4.0-rc1

jackson-databind-2.4.0-rc2

jackson-databind-2.4.0-rc3

jackson-databind-2.4.1

jackson-databind-2.4.1.1

jackson-databind-2.4.1.2

jackson-databind-2.4.1.3

jackson-databind-2.5.0

jackson-databind-2.5.0-rc1

jackson-databind-2.6.0

jackson-databind-2.6.0-rc1

jackson-databind-2.6.0-rc4

jackson-databind-2.6.1

jackson-databind-2.6.2

jackson-databind-2.6.3

jackson-databind-2.6.4

jackson-databind-2.6.5

jackson-databind-2.6.6

jackson-databind-2.6.7

jackson-databind-2.6.7.1

jackson-databind-2.6.7.2

jackson-databind-2.7.0

jackson-databind-2.7.1

jackson-databind-2.7.1-1

jackson-databind-2.7.2

jackson-databind-2.7.3

jackson-databind-2.7.4

jackson-databind-2.7.5

jackson-databind-2.7.6

jackson-databind-2.7.7

jackson-databind-2.7.8

jackson-databind-2.7.9

jackson-databind-2.7.9.1

jackson-databind-2.7.9.2

jackson-databind-2.7.9.3

jackson-databind-2.7.9.4

jackson-databind-2.7.9.5

jackson-databind-2.8.0

jackson-databind-2.8.1

jackson-databind-2.8.10

jackson-databind-2.8.11

jackson-databind-2.8.11.1

jackson-databind-2.8.11.2

jackson-databind-2.8.11.3

jackson-databind-2.8.2

jackson-databind-2.8.3

jackson-databind-2.8.4

jackson-databind-2.8.5

jackson-databind-2.8.6

jackson-databind-2.8.7

jackson-databind-2.8.8

jackson-databind-2.8.8.1

jackson-databind-2.8.9

jackson-databind-2.9.0

jackson-databind-2.9.1

jackson-databind-2.9.3

jackson-databind-2.9.4

jackson-databind-2.9.5

jackson-databind-2.9.6

jackson-databind-2.9.7

jackson-databind-2.9.8

jackson-databind-2.9.9

jackson-databind-2.9.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12814.json"