CVE-2019-14893

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions prior to 2.9.10 and 2.10.0

Description: A flaw in FasterXML jackson-databind allows polymorphic deserialization of malicious objects using the xalan JNDI gadget when used with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL CLASS. This could enable an attacker to execute arbitrary code. The issue is related to the restoration of untrusted data structures in memory, which can be exploited by a remote attacker.

Recommendations: For versions prior to 2.9.10 and 2.10.0, consider updating to version 2.9.10 or 2.10.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of enableDefaultTyping() and @JsonTypeInfo with Id.CLASS or Id.MINIMAL CLASS until a patch is available. Restrict the use of ObjectMapper.readValue to trusted sources to minimize the risk of exploitation.