CVE-2019-16943

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.0.0 through 2.9.10 jackson-databind versions prior to 2.9.10.1 jackson-databind versions prior to 2.8.11.5 jackson-databind versions prior to 2.6.7.3

Description A Polymorphic Typing issue was discovered in the jackson-databind library. The issue is related to the mishandling of input data by the com.p6spy.engine.spy.P6DataSource class. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the p6spy jar in the classpath, an attacker can exploit this issue to execute a malicious payload by accessing an RMI service endpoint.

Recommendations For jackson-databind versions 2.0.0 through 2.9.10, update to version 2.9.10.1 or later. For jackson-databind versions prior to 2.8.11.5, update to version 2.8.11.5 or later. For jackson-databind versions prior to 2.6.7.3, update to version 2.6.7.3 or later. As a temporary workaround, consider disabling the com.p6spy.engine.spy.P6DataSource class until a patch is available. Restrict access to the RMI service endpoint to minimize the risk of exploitation.