UBUNTU-CVE-2019-16943

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2019-16943

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16943.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-16943

Related

Published

2019-10-01T17:15:00Z

Modified

2019-10-01T17:15:00Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

References

Affected packages

Ubuntu:Pro:14.04:LTS / jackson-databind

Package

Name: jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.2-1

2.2.2-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/ubuntu/jackson-databind@2.4.2-3ubuntu0.1~esm2?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.2-3ubuntu0.1~esm2

Affected versions

2.*

2.4.2-2

2.4.2-3

2.4.2-3ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "libjackson2-databind-java-doc": "2.4.2-3ubuntu0.1~esm2",
            "libjackson2-databind-java": "2.4.2-3ubuntu0.1~esm2"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / jackson-databind

Package

Name: jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.6-1

2.9.1-1

2.9.4-1

2.9.5-1

2.9.8-1~18.04

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/ubuntu/jackson-databind@2.10.0-2?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.0-2

Affected versions

2.*

2.9.9.3-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "libjackson2-databind-java-doc": "2.10.0-2",
            "libjackson2-databind-java": "2.10.0-2"
        }
    ]
}