DEBIAN-CVE-2019-16942
- Source
- https://security-tracker.debian.org/tracker/DEBIAN-CVE-2019-16942
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-16942.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2019-16942
- Upstream
- Published
- 2019-10-01T17:15:10Z
- Modified
- 2025-09-18T05:18:02Z
- Summary
- [none]
- Details
-
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
- References
Affected packages
Debian:11 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:deb/debian/jackson-databind?arch=source
Debian:12 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:deb/debian/jackson-databind?arch=source
Debian:13 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:deb/debian/jackson-databind?arch=source
Debian:14 / jackson-databind
Package
- Name
- jackson-databind
- Purl
- pkg:deb/debian/jackson-databind?arch=source