PT-2019-4532 · Fasterxml+2 · Jackson-Databind+2

Published

2019-08-06

Updated

2025-01-28

CVE-2019-17267

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.8.0 through 2.8.11.4 FasterXML jackson-databind versions 2.9.0 through 2.9.9

Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup class. The issue is associated with inadequate input data processing, which can allow a remote attacker to gain full control over the application.

Recommendations For FasterXML jackson-databind versions 2.8.0 through 2.8.11.4, update to version 2.8.11.5 or later. For FasterXML jackson-databind versions 2.9.0 through 2.9.9, update to version 2.9.10 or later. As a temporary workaround, consider restricting the use of the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup class until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Information Disclosure

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-200CWE-20

Related Identifiers

ALT-PU-2021-1792

BDU:2020-00566

CVE-2019-17267

DLA-2030-1

GHSA-F3J5-RMMP-3FC5

MGASA-2021-0153

OPENSUSE-SU-2024:10868-1

RHSA-2020:0159

RHSA-2020:0160

RHSA-2020:0161

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Jackson-Databind

PT-2019-4532 · Fasterxml+2 · Jackson-Databind+2

CVE-2019-17267

Weakness Enumeration

Related Identifiers

Affected Products

References · 122