CVE-2019-12086

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.9

Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. The issue can be exploited by a remote attacker to access confidential data by sending a specially crafted JSON message.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.9, update to version 2.9.9 or later to resolve the issue. As a temporary workaround, consider disabling the Default Typing feature for externally exposed JSON endpoints until a patch is available. Restrict access to the mysql-connector-java jar in the classpath to minimize the risk of exploitation. Avoid using the com.mysql.cj.jdbc.admin.MiniAdmin class in the affected JSON endpoint until the issue is resolved.