CVE-2019-14439

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.x before 2.9.9.2 jackson-databind versions 2.8.x before 2.8.11.4 jackson-databind versions 2.7.x before 2.7.9.6 jackson-databind versions 2.6.x before 2.6.7.3

Description The issue is related to a Polymorphic Typing problem in the jackson-databind library, which can occur when Default Typing is enabled for an externally exposed JSON endpoint and the logback jar is in the classpath. This can allow a remote attacker to gain unauthorized access to protected information by exploiting the vulnerability, potentially leading to the recovery of untrusted data structures in memory.

Recommendations For jackson-databind versions 2.x before 2.9.9.2, update to version 2.9.9.2 or later. For jackson-databind versions 2.8.x before 2.8.11.4, update to version 2.8.11.4 or later. For jackson-databind versions 2.7.x before 2.7.9.6, update to version 2.7.9.6 or later. For jackson-databind versions 2.6.x before 2.6.7.3, update to version 2.6.7.3 or later. As a temporary workaround, consider disabling Default Typing for externally exposed JSON endpoints until a patch is available. Restrict access to the logback jar in the classpath to minimize the risk of exploitation.