PT-2019-3789 · Fasterxml+7 · Jackson-Databind+7

Published

2017-11-01

·

Updated

2025-09-29

·

CVE-2019-14540

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions prior to 2.9.10 FasterXML jackson-databind version 2.8.11.5 FasterXML jackson-databind version 2.6.7.3
Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to com.zaxxer.hikari.HikariConfig. The issue is associated with the recovery of an untrusted data structure in memory. Exploitation of this issue may allow a remote attacker to gain full control over the system.
Recommendations For FasterXML jackson-databind versions prior to 2.9.10, update to version 2.9.10 or later. For FasterXML jackson-databind version 2.8.11.5, update to a version that includes the fix for this issue. For FasterXML jackson-databind version 2.6.7.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of com.zaxxer.hikari.HikariConfig until a patch is available.

Exploit

Fix

RCE

Information Disclosure

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-200CWE-502

Related Identifiers

ALSA-2020:1644
ALSA-2020_2755
ALSA-2020_2848
ALSA-2020_2852
ALSA-2020_3732
ALSA-2020_5500
ALSA-2021_4198
ALSA-2025_11035
ALSA-2025_16880
ALT-PU-2017-2557
ALT-PU-2020-2640
ALT-PU-2021-1792
ALT-PU-2021-2380
ALT-PU-2021-3668
BDU:2019-04085
CESA-2020_1644
CVE-2019-14540
DLA-1943-1
DSA-4542-1
ELSA-2020-1644
GHSA-H822-R4R5-V8JG
MGASA-2021-0153
OPENSUSE-SU-2024:10868-1
RHSA-2020:0159
RHSA-2020:0160
RHSA-2020:0161
RHSA-2020:1644
RHSA-2020_1644
RLSA-2020:1644
RLSA-2020_1644
ROSA-SA-2025-2629
USN-4813-1

Affected Products

Alt Linux
Almalinux
Centos
Hikariconfig
Red Hat
Rocky Linux
Ubuntu
Jackson-Databind