CVE-2019-16942

Summary

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Impact & exploitability

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/FasterXML/jackson-databind/issues/2478 ↗

Additional information

• NVD record
• https://github.com/FasterXML/jackson-databind/issues/2478Patch
• https://access.redhat.com/errata/RHSA-2019:3901Advisory
• https://access.redhat.com/errata/RHSA-2020:0159Advisory
• https://access.redhat.com/errata/RHSA-2020:0160Advisory
• https://access.redhat.com/errata/RHSA-2020:0161Advisory
• https://access.redhat.com/errata/RHSA-2020:0164Advisory
• https://access.redhat.com/errata/RHSA-2020:0445Advisory
• https://issues.apache.org/jira/browse/GEODE-7255Advisory