PT-2019-5806 · Jackson+2 · Jackson-Databind+2

Publicado

2019-09-19

Atualizado

2025-01-28

CVE-2019-14892

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions jackson-databind versions prior to 2.9.10 jackson-databind versions prior to 2.8.11.5 jackson-databind versions prior to 2.6.7.3

Description The issue is related to the restoration of untrusted data in memory, which can allow a remote attacker to execute arbitrary code. This is due to a flaw in jackson-databind that permits polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes.

Recommendations For versions prior to 2.9.10, update to version 2.9.10 or later. For versions prior to 2.8.11.5, update to version 2.8.11.5 or later. For versions prior to 2.6.7.3, update to version 2.6.7.3 or later. As a temporary workaround, consider restricting the use of commons-configuration 1 and 2 JNDI classes to minimize the risk of exploitation.

Correção

Deserialization of Untrusted Data

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-200

Identificadores relacionados

ALT-PU-2021-1792

BDU:2021-02953

CVE-2019-14892

GHSA-CF6R-3WGC-H863

RHSA-2020:0159

RHSA-2020:0160

RHSA-2020:0161

ROSA-SA-2025-2629

Produtos afetados

Alt Linux

Commons-Configuration

Jackson-Databind

PT-2019-5806 · Jackson+2 · Jackson-Databind+2

CVE-2019-14892

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 24