PT-2019-2950 · Qos.Ch+7 · Logback-Core+7

Publicado

2019-05-16

·

Atualizado

2025-09-29

·

CVE-2019-12384

CVSS v2.0

7.1

Alta

VetorAV:N/AC:M/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x through 2.9.9
Description The issue is related to the failure to block the logback-core class from polymorphic deserialization, which can lead to various impacts, including remote code execution, depending on the classpath content. This can allow an attacker to have unauthorized access and execute arbitrary code.
Recommendations For FasterXML jackson-databind versions 2.x through 2.9.9, update to version 2.9.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the logback-core class to minimize the risk of exploitation.

Exploit

Correção

RCE

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

ALSA-2019:2720
ALSA-2019_2720
ALSA-2025_16880
ALT-PU-2020-3030
BDU:2019-02925
BDU:2019-04252
CESA-2019_2720
CVE-2019-12384
DLA-1831-1
DSA-4542-1
ELSA-2019-2720
GHSA-MPH4-VHRX-MV67
MGASA-2021-0153
OPENSUSE-SU-2024:10868-1
RHSA-2019:1820
RHSA-2019:2720
RHSA-2019:2935
RHSA-2019:2936
RHSA-2019:2937
RHSA-2019_2720
RHSA-2024:5856
RLSA-2019:2720
RLSA-2019_2720
USN-4813-1

Produtos afetados

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Ubuntu
Jackson-Databind
Logback-Core