Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-17531

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Published

2019-10-12T21:15:08.570

Last Modified

2024-11-21T04:32:27.613

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-502
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application fasterxml jackson-databind < 2.6.7.3 Yes
Application fasterxml jackson-databind < 2.8.11.5 Yes
Application fasterxml jackson-databind < 2.9.10.1 Yes
Operating System debian debian_linux 8.0 Yes
Application redhat jboss_enterprise_application_platform 7.2 Yes
Application redhat jboss_enterprise_application_platform 7.3 Yes
Operating System redhat enterprise_linux_server 6.0 No
Operating System redhat enterprise_linux_server 7.0 No
Operating System redhat enterprise_linux_server 8.0 No
Application oracle banking_platform 2.4.0 Yes
Application oracle banking_platform 2.4.1 Yes
Application oracle banking_platform 2.5.0 Yes
Application oracle banking_platform 2.6.0 Yes
Application oracle banking_platform 2.6.1 Yes
Application oracle banking_platform 2.6.2 Yes
Application oracle banking_platform 2.7.0 Yes
Application oracle banking_platform 2.7.1 Yes
Application oracle banking_platform 2.9.0 Yes
Application oracle communications_billing_and_revenue_management 7.5.0.23.0 Yes
Application oracle communications_billing_and_revenue_management 12.0.0.3.0 Yes
Application oracle communications_calendar_server 8.0.0.2.0 Yes
Application oracle communications_calendar_server 8.0.0.3.0 Yes
Application oracle communications_cloud_native_core_network_slice_selection_function 1.2.1 Yes
Application oracle communications_evolved_communications_application_server 7.1 Yes
Application oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0 Yes
Application oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0 Yes
Application oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2 Yes
Application oracle goldengate_application_adapters 19.1.0.0.0 Yes
Application oracle jd_edwards_enterpriseone_orchestrator 9.2 Yes
Application oracle jd_edwards_enterpriseone_tools 9.2 Yes
Application oracle primavera_gateway ≤ 17.12.6 Yes
Application oracle primavera_gateway ≤ 18.8.8 Yes
Application oracle primavera_gateway 16.1 Yes
Application oracle primavera_gateway 16.2 Yes
Application oracle primavera_gateway 19.12.0 Yes
Application oracle retail_merchandising_system 15.0.3 Yes
Application oracle retail_merchandising_system 16.0.2 Yes
Application oracle retail_merchandising_system 16.0.3 Yes
Application oracle retail_sales_audit 14.1 Yes
Application oracle siebel_engineering_-_installer_\&_deployment ≤ 2.20.5 Yes
Application oracle trace_file_analyzer 12.2.0.1 Yes
Application oracle trace_file_analyzer 18c Yes
Application oracle trace_file_analyzer 19c Yes
Application oracle webcenter_portal 12.2.1.3.0 Yes
Application oracle webcenter_portal 12.2.1.4.0 Yes
Application oracle webcenter_sites 12.2.1.3.0 Yes
Application oracle webcenter_sites 12.2.1.4.0 Yes
Application oracle weblogic_server 12.2.1.3.0 Yes
Application oracle weblogic_server 12.2.1.4.0 Yes
Application netapp oncommand_workflow_automation - Yes
Application netapp steelstore_cloud_integrated_storage - Yes
References