CVE-2019-17531

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.0.0 through 2.9.10 jackson-databind versions prior to 2.9.10.1 jackson-databind versions prior to 2.8.11.5 jackson-databind versions prior to 2.6.7.3

Description A Polymorphic Typing issue in the jackson-databind library is related to a lack of input validation mechanism. This issue can be exploited by a remote attacker to gain full control over the system. The vulnerability occurs when Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra jar in the classpath, allowing an attacker to execute a malicious payload by providing a JNDI service.

Recommendations For jackson-databind versions 2.0.0 through 2.9.10, update to version 2.9.10.1 or later. For jackson-databind versions prior to 2.8.11.5, update to version 2.8.11.5 or later. For jackson-databind versions prior to 2.6.7.3, update to version 2.6.7.3 or later. As a temporary workaround, consider disabling Default Typing for externally exposed JSON endpoints until a patch is available. Restrict access to the apache-log4j-extra jar in the classpath to minimize the risk of exploitation.