Critical severityNVD Advisory· Published Oct 12, 2019· Updated Aug 5, 2024
CVE-2019-17531
CVE-2019-17531
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.9.0, < 2.9.10.1 | 2.9.10.1 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.7.0, < 2.8.11.5 | 2.8.11.5 |
com.fasterxml.jackson.core:jackson-databindMaven | < 2.6.7.3 | 2.6.7.3 |
Affected products
32- FasterXML/jackson-databinddescription
- ghsa-coords31 versionspkg:maven/com.fasterxml.jackson.core/jackson-databindpkg:rpm/almalinux/apache-commons-collectionspkg:rpm/almalinux/apache-commons-langpkg:rpm/almalinux/bea-stax-apipkg:rpm/almalinux/glassfish-fastinfosetpkg:rpm/almalinux/glassfish-jaxb-apipkg:rpm/almalinux/glassfish-jaxb-corepkg:rpm/almalinux/glassfish-jaxb-runtimepkg:rpm/almalinux/glassfish-jaxb-txw2pkg:rpm/almalinux/jackson-annotationspkg:rpm/almalinux/jackson-corepkg:rpm/almalinux/jackson-databindpkg:rpm/almalinux/jackson-jaxrs-json-providerpkg:rpm/almalinux/jackson-jaxrs-providerspkg:rpm/almalinux/jackson-module-jaxb-annotationspkg:rpm/almalinux/jakarta-commons-httpclientpkg:rpm/almalinux/javassistpkg:rpm/almalinux/javassist-javadocpkg:rpm/almalinux/python3-nsspkg:rpm/almalinux/python-nss-docpkg:rpm/almalinux/relaxngDatatypepkg:rpm/almalinux/slf4jpkg:rpm/almalinux/slf4j-jdk14pkg:rpm/almalinux/stax-expkg:rpm/almalinux/velocitypkg:rpm/almalinux/xalan-j2pkg:rpm/almalinux/xerces-j2pkg:rpm/almalinux/xml-commons-apispkg:rpm/almalinux/xml-commons-resolverpkg:rpm/almalinux/xmlstreambufferpkg:rpm/almalinux/xsom
>= 2.9.0, < 2.9.10.1+ 30 more
- (no CPE)range: >= 2.9.0, < 2.9.10.1
- (no CPE)range: < 3.2.2-10.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.6-21.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.0-16.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.13-9.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.12-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.10.0-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.9.9-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.9.9-1.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.6-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1:3.1-28.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
- (no CPE)range: < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
- (no CPE)range: < 2011.1-7.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.7-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7-24.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.1-38.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.11.0-34.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.4.01-25.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2-26.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.5.4-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 0-19.20110809svn.module_el8.5.0+2577+9e95fe00
Patches
Vulnerability mechanics
References
28- access.redhat.com/errata/RHSA-2019:4192ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0159ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0160ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0161ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0164ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0445ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-gjmw-vf9h-g25vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17531ghsaADVISORY
- github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0ghsaWEB
- github.com/FasterXML/jackson-databind/issues/2498ghsax_refsource_MISCWEB
- lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2019/12/msg00013.htmlghsamailing-listx_refsource_MLISTWEB
- medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitrex_refsource_MISC
- medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
- security.netapp.com/advisory/ntap-20191024-0005ghsaWEB
- security.netapp.com/advisory/ntap-20191024-0005/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.