PT-2019-2950 · Qos.Ch+7 · Logback-Core+7

Published

2019-05-16

·

Updated

2025-09-29

·

CVE-2019-12384

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x through 2.9.9
Description The issue is related to the failure to block the logback-core class from polymorphic deserialization, which can lead to various impacts, including remote code execution, depending on the classpath content. This can allow an attacker to have unauthorized access and execute arbitrary code.
Recommendations For FasterXML jackson-databind versions 2.x through 2.9.9, update to version 2.9.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the logback-core class to minimize the risk of exploitation.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2019:2720
ALSA-2019_2720
ALSA-2025_16880
ALT-PU-2020-3030
BDU:2019-02925
BDU:2019-04252
CESA-2019_2720
CVE-2019-12384
DLA-1831-1
DSA-4542-1
ELSA-2019-2720
GHSA-MPH4-VHRX-MV67
MGASA-2021-0153
OPENSUSE-SU-2024:10868-1
RHSA-2019:1820
RHSA-2019:2720
RHSA-2019:2935
RHSA-2019:2936
RHSA-2019:2937
RHSA-2019_2720
RHSA-2024:5856
RLSA-2019:2720
RLSA-2019_2720
USN-4813-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Ubuntu
Jackson-Databind
Logback-Core