PT-2019-3785 · Fasterxml+7 · Jackson-Databind+7

Published

2017-11-01

Updated

2025-01-28

CVE-2019-16335

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions prior to 2.9.10 FasterXML jackson-databind version 2.8.11.5 FasterXML jackson-databind version 2.6.7.3

Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to com.zaxxer.hikari.HikariDataSource. The vulnerability is associated with the recovery of untrusted data structures in memory, which can allow a remote attacker to gain full control over the system.

Recommendations For FasterXML jackson-databind versions prior to 2.9.10, update to version 2.9.10 or later. For FasterXML jackson-databind version 2.8.11.5, update to a version later than 2.8.11.5. For FasterXML jackson-databind version 2.6.7.3, update to a version later than 2.6.7.3. As a temporary workaround, consider disabling the use of com.zaxxer.hikari.HikariDataSource until a patch is available.

Fix

RCE

Information Disclosure

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-200CWE-502

Related Identifiers

ALSA-2020:1644

ALT-PU-2017-2557

ALT-PU-2021-1792

BDU:2019-04081

CESA-2020_1644

CVE-2019-16335

DLA-1943-1

DSA-4542-1

GHSA-85CW-HJ65-QQV9

MGASA-2021-0153

RHSA-2020:0159

RHSA-2020:0160

RHSA-2020:0161

RHSA-2020:1644

RHSA-2020_1644

RLSA-2020:1644

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Almalinux

Centos

Hikaridatasource

Red Hat

Rocky Linux

Ubuntu

Jackson-Databind

PT-2019-3785 · Fasterxml+7 · Jackson-Databind+7

CVE-2019-16335

Weakness Enumeration

Related Identifiers

Affected Products

References · 157