Critical severityNVD Advisory· Published Jul 29, 2019· Updated Aug 5, 2024

CVE-2019-14379

Description

FasterXML jackson-databind before 2.9.9.2 mishandles default typing with ehcache, allowing remote code execution via crafted JSON.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FasterXML jackson-databind before 2.9.9.2 mishandles default typing with ehcache, allowing remote code execution via crafted JSON.

Vulnerability

Overview

CVE-2019-14379 is a remote code execution vulnerability in FasterXML jackson-databind versions prior to 2.9.9.2. The flaw resides in SubTypeValidator.java, which fails to properly validate types when default typing is enabled. Specifically, when the net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup class from the Ehcache library is present on the classpath, an attacker can bypass type restrictions and instantiate arbitrary classes [4].

Exploitation

Conditions

Exploitation requires that default typing is enabled in the Jackson ObjectMapper (e.g., via @JsonTypeInfo or ObjectMapper.enableDefaultTyping()) and that the Ehcache library is available. An attacker can send a specially crafted JSON payload that triggers the instantiation of a malicious class, leading to arbitrary code execution. No authentication is required if the application deserializes untrusted JSON input [4].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected application. This can lead to full system compromise, data theft, or further lateral movement within the network. The vulnerability is rated critical with a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [4].

Mitigation

The vulnerability is fixed in jackson-databind version 2.9.9.2 and later. Red Hat has released patches for JBoss Enterprise Application Platform (EAP) versions 7.3 and 7.4 across RHEL 6, 7, and 8, as documented in RHSA-2019:2935, RHSA-2019:2936, and RHSA-2019:2937 [1][2][3]. Users should upgrade to the patched versions or disable default typing if not required.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.9.0, < 2.9.9.2	2.9.9.2
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.8.0, < 2.8.11.4	2.8.11.4
com.fasterxml.jackson.core:jackson-databindMaven	< 2.7.9.6	2.7.9.6

Affected products

FasterXML/jackson-databinddescription
ghsa-coords
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Range: >= 2.9.0, < 2.9.9.2

Patches

ad418eeb974e

Backport #2387, #2389 fixes

https://github.com/FasterXML/jackson-databindTatu SalorantaJul 26, 2019via ghsa

commit

1 file changed · +6 −0

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+6 −0 modified

@@ -89,6 +89,12 @@ public class SubTypeValidator
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
+        // [databind#2387]: EHCache
+        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+
+        // [databind#2389]: logback/jndi
+        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHBA-2019:2824ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2743ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2858ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2935ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2936ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2937ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2938ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2998ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3044ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3045ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3046ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3050ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3149ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3200ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3292ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3297ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3901ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2020:0727ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-6fpp-rgj9-8rwcghsaADVISORY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/mitrevendor-advisoryx_refsource_FEDORA
nvd.nist.gov/vuln/detail/CVE-2019-14379ghsaADVISORY
seclists.org/fulldisclosure/2022/Mar/23ghsamailing-listx_refsource_FULLDISCWEB
github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125bghsaWEB
github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2ghsax_refsource_MISCWEB
github.com/FasterXML/jackson-databind/issues/2387ghsax_refsource_MISCWEB
lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3EghsaWEB
lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3EghsaWEB
lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3EghsaWEB
lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3EghsaWEB
lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3EghsaWEB
lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3EghsaWEB
lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3EghsaWEB
lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3EghsaWEB
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3EghsaWEB
lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3EghsaWEB
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2019/08/msg00011.htmlghsamailing-listx_refsource_MLISTWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBLghsaWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544ghsaWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLCghsaWEB
security.netapp.com/advisory/ntap-20190814-0001ghsaWEB
security.netapp.com/advisory/ntap-20190814-0001/mitrex_refsource_CONFIRM
support.apple.com/kb/HT213189ghsax_refsource_CONFIRMWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000