PT-2019-5806 · Jackson+2 · Jackson-Databind+2

Published

2019-09-19

Updated

2025-01-28

CVE-2019-14892

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions jackson-databind versions prior to 2.9.10 jackson-databind versions prior to 2.8.11.5 jackson-databind versions prior to 2.6.7.3

Description The issue is related to the restoration of untrusted data in memory, which can allow a remote attacker to execute arbitrary code. This is due to a flaw in jackson-databind that permits polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes.

Recommendations For versions prior to 2.9.10, update to version 2.9.10 or later. For versions prior to 2.8.11.5, update to version 2.8.11.5 or later. For versions prior to 2.6.7.3, update to version 2.6.7.3 or later. As a temporary workaround, consider restricting the use of commons-configuration 1 and 2 JNDI classes to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-200

Related Identifiers

ALT-PU-2021-1792

BDU:2021-02953

CVE-2019-14892

GHSA-CF6R-3WGC-H863

RHSA-2020:0159

RHSA-2020:0160

RHSA-2020:0161

ROSA-SA-2025-2629

Affected Products

Alt Linux

Commons-Configuration

Jackson-Databind

PT-2019-5806 · Jackson+2 · Jackson-Databind+2

CVE-2019-14892

Weakness Enumeration

Related Identifiers

Affected Products

References · 24