Critical severityNVD Advisory· Published Oct 1, 2019· Updated Aug 5, 2024
CVE-2019-16942
CVE-2019-16942
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.9.0, < 2.9.10.1 | 2.9.10.1 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.7.0, < 2.8.11.5 | 2.8.11.5 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.6.7.3 | 2.6.7.3 |
Affected products
32- FasterXML/jackson-databinddescription
- ghsa-coords31 versionspkg:maven/com.fasterxml.jackson.core/jackson-databindpkg:rpm/almalinux/apache-commons-collectionspkg:rpm/almalinux/apache-commons-langpkg:rpm/almalinux/bea-stax-apipkg:rpm/almalinux/glassfish-fastinfosetpkg:rpm/almalinux/glassfish-jaxb-apipkg:rpm/almalinux/glassfish-jaxb-corepkg:rpm/almalinux/glassfish-jaxb-runtimepkg:rpm/almalinux/glassfish-jaxb-txw2pkg:rpm/almalinux/jackson-annotationspkg:rpm/almalinux/jackson-corepkg:rpm/almalinux/jackson-databindpkg:rpm/almalinux/jackson-jaxrs-json-providerpkg:rpm/almalinux/jackson-jaxrs-providerspkg:rpm/almalinux/jackson-module-jaxb-annotationspkg:rpm/almalinux/jakarta-commons-httpclientpkg:rpm/almalinux/javassistpkg:rpm/almalinux/javassist-javadocpkg:rpm/almalinux/python3-nsspkg:rpm/almalinux/python-nss-docpkg:rpm/almalinux/relaxngDatatypepkg:rpm/almalinux/slf4jpkg:rpm/almalinux/slf4j-jdk14pkg:rpm/almalinux/stax-expkg:rpm/almalinux/velocitypkg:rpm/almalinux/xalan-j2pkg:rpm/almalinux/xerces-j2pkg:rpm/almalinux/xml-commons-apispkg:rpm/almalinux/xml-commons-resolverpkg:rpm/almalinux/xmlstreambufferpkg:rpm/almalinux/xsom
>= 2.9.0, < 2.9.10.1+ 30 more
- (no CPE)range: >= 2.9.0, < 2.9.10.1
- (no CPE)range: < 3.2.2-10.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.6-21.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.0-16.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.13-9.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.12-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.9.9-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.9.9-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.6-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1:3.1-28.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
- (no CPE)range: < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
- (no CPE)range: < 2011.1-7.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.7-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7-24.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.1-38.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.11.0-34.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.4.01-25.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2-26.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.5.4-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 0-19.20110809svn.module_el8.5.0+2577+9e95fe00
Patches
Vulnerability mechanics
References
47- access.redhat.com/errata/RHSA-2019:3901ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0159ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0160ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0161ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0164ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0445ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-mx7p-6679-8g3qghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-16942ghsaADVISORY
- www.debian.org/security/2019/dsa-4542ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0bghsaWEB
- github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8ghsaWEB
- github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddacghsaWEB
- github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779fghsaWEB
- github.com/FasterXML/jackson-databind/issues/2478ghsax_refsource_MISCWEB
- issues.apache.org/jira/browse/GEODE-7255ghsax_refsource_MISCWEB
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2019/10/msg00001.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJTghsaWEB
- medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitrex_refsource_MISC
- medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
- seclists.org/bugtraq/2019/Oct/6ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20191017-0006ghsaWEB
- security.netapp.com/advisory/ntap-20191017-0006/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.