CVE-2019-12814

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x through 2.9.9

Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. The vulnerability is related to the lack of protection of service data, which can be exploited by a remote attacker to read arbitrary files on the server by sending a specially crafted JSON message.

Recommendations For FasterXML jackson-databind versions 2.x through 2.9.9, consider disabling Default Typing for externally exposed JSON endpoints or removing JDOM 1.x or 2.x jars from the classpath until a patch is available. As a temporary workaround, restrict access to sensitive files on the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.