CVE-2019-16942

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.0.0 through 2.9.10

Description A Polymorphic Typing issue exists in the jackson-databind library. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the commons-dbcp jar in the classpath, an attacker can exploit this issue to execute a malicious payload by accessing an RMI service endpoint. This is possible due to the mishandling of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource. The issue is related to insufficient input data validation, allowing a remote attacker to gain unauthorized access to information or cause a denial of service.

Recommendations For FasterXML jackson-databind versions 2.0.0 through 2.9.10, consider disabling the Default Typing feature for externally exposed JSON endpoints as a temporary workaround until a patch is available. Restrict access to the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource classes to minimize the risk of exploitation. Avoid using the commons-dbcp jar in the classpath if possible, to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.