CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Published : 2019-07-29 12:15 Updated : 2019-10-06 23:15

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:-
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc1
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc2
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc3
Fasterxml Jackson-databind 2.7.1 cpe:/a:fasterxml:jackson-databind:2.7.1
Fasterxml Jackson-databind 2.7.1-1 cpe:/a:fasterxml:jackson-databind:2.7.1-1
Fasterxml Jackson-databind 2.7.2 cpe:/a:fasterxml:jackson-databind:2.7.2
Fasterxml Jackson-databind 2.7.3 cpe:/a:fasterxml:jackson-databind:2.7.3
Fasterxml Jackson-databind 2.7.4 cpe:/a:fasterxml:jackson-databind:2.7.4
Fasterxml Jackson-databind 2.7.5 cpe:/a:fasterxml:jackson-databind:2.7.5
Fasterxml Jackson-databind 2.7.6 cpe:/a:fasterxml:jackson-databind:2.7.6
Fasterxml Jackson-databind 2.7.7 cpe:/a:fasterxml:jackson-databind:2.7.7
Fasterxml Jackson-databind 2.7.8 cpe:/a:fasterxml:jackson-databind:2.7.8
Fasterxml Jackson-databind 2.7.9 cpe:/a:fasterxml:jackson-databind:2.7.9
Fasterxml Jackson-databind 2.7.9.1 cpe:/a:fasterxml:jackson-databind:2.7.9.1
Fasterxml Jackson-databind 2.7.9.2 cpe:/a:fasterxml:jackson-databind:2.7.9.2
Fasterxml Jackson-databind 2.7.9.3 cpe:/a:fasterxml:jackson-databind:2.7.9.3
Fasterxml Jackson-databind 2.7.9.4 cpe:/a:fasterxml:jackson-databind:2.7.9.4
Fasterxml Jackson-databind 2.7.9.5 cpe:/a:fasterxml:jackson-databind:2.7.9.5
Fasterxml Jackson-databind 2.8.0 cpe:/a:fasterxml:jackson-databind:2.8.0
Fasterxml Jackson-databind 2.8.1 cpe:/a:fasterxml:jackson-databind:2.8.1
Fasterxml Jackson-databind 2.8.2 cpe:/a:fasterxml:jackson-databind:2.8.2
Fasterxml Jackson-databind 2.8.3 cpe:/a:fasterxml:jackson-databind:2.8.3
Fasterxml Jackson-databind 2.8.4 cpe:/a:fasterxml:jackson-databind:2.8.4
Fasterxml Jackson-databind 2.8.5 cpe:/a:fasterxml:jackson-databind:2.8.5
Fasterxml Jackson-databind 2.8.6 cpe:/a:fasterxml:jackson-databind:2.8.6
Fasterxml Jackson-databind 2.8.7 cpe:/a:fasterxml:jackson-databind:2.8.7
Fasterxml Jackson-databind 2.8.8 cpe:/a:fasterxml:jackson-databind:2.8.8
Fasterxml Jackson-databind 2.8.8.1 cpe:/a:fasterxml:jackson-databind:2.8.8.1
Fasterxml Jackson-databind 2.8.9 cpe:/a:fasterxml:jackson-databind:2.8.9
Fasterxml Jackson-databind 2.8.10 cpe:/a:fasterxml:jackson-databind:2.8.10
Fasterxml Jackson-databind 2.8.11 cpe:/a:fasterxml:jackson-databind:2.8.11
Fasterxml Jackson-databind 2.8.11.1 cpe:/a:fasterxml:jackson-databind:2.8.11.1
Fasterxml Jackson-databind 2.8.11.2 cpe:/a:fasterxml:jackson-databind:2.8.11.2
Fasterxml Jackson-databind 2.8.11.3 cpe:/a:fasterxml:jackson-databind:2.8.11.3
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:-
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease1
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease2
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease3
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease4
Fasterxml Jackson-databind 2.9.1 cpe:/a:fasterxml:jackson-databind:2.9.1
Fasterxml Jackson-databind 2.9.2 cpe:/a:fasterxml:jackson-databind:2.9.2
Fasterxml Jackson-databind 2.9.3 cpe:/a:fasterxml:jackson-databind:2.9.3
Fasterxml Jackson-databind 2.9.4 cpe:/a:fasterxml:jackson-databind:2.9.4
Fasterxml Jackson-databind 2.9.5 cpe:/a:fasterxml:jackson-databind:2.9.5
Fasterxml Jackson-databind 2.9.6 cpe:/a:fasterxml:jackson-databind:2.9.6
Fasterxml Jackson-databind 2.9.7 cpe:/a:fasterxml:jackson-databind:2.9.7
Fasterxml Jackson-databind 2.9.8 cpe:/a:fasterxml:jackson-databind:2.9.8
Fasterxml Jackson-databind 2.9.9 cpe:/a:fasterxml:jackson-databind:2.9.9
Fasterxml Jackson-databind 2.9.9.1 cpe:/a:fasterxml:jackson-databind:2.9.9.1
Netapp Oncommand Workflow Automation - cpe:/a:netapp:oncommand_workflow_automation:-
Netapp Snapcenter - cpe:/a:netapp:snapcenter:-
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
  1. Fasterxml (1) Search CVE
    1. Jackson-databind (43) Search CVE
      1. 2.7.0
      2. 2.7.1
      3. 2.7.1-1
      4. 2.7.2
      5. 2.7.3
      6. 2.7.4
      7. 2.7.5
      8. 2.7.6
      9. 2.7.7
      10. 2.7.8
      11. 2.7.9
      12. 2.7.9.1
      13. 2.7.9.2
      14. 2.7.9.3
      15. 2.7.9.4
      16. 2.7.9.5
      17. 2.8.0
      18. 2.8.1
      19. 2.8.2
      20. 2.8.3
      21. 2.8.4
      22. 2.8.5
      23. 2.8.6
      24. 2.8.7
      25. 2.8.8
      26. 2.8.8.1
      27. 2.8.9
      28. 2.8.10
      29. 2.8.11
      30. 2.8.11.1
      31. 2.8.11.2
      32. 2.8.11.3
      33. 2.9.0
      34. 2.9.1
      35. 2.9.2
      36. 2.9.3
      37. 2.9.4
      38. 2.9.5
      39. 2.9.6
      40. 2.9.7
      41. 2.9.8
      42. 2.9.9
      43. 2.9.9.1
  2. Debian (1) Search CVE
    1. Debian Linux (1) Search CVE
      1. 8.0
  3. Netapp (2) Search CVE
    1. Snapcenter (1) Search CVE
      1. -
    2. Oncommand Workflow Automation (1) Search CVE
      1. -

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

References

Source Link
MISC https://github.com/FasterXML/jackson-databind/issues/2387
MISC https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
MLIST https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
CONFIRM https://security.netapp.com/advisory/ntap-20190814-0001/
MLIST https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E
MLIST https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E
MLIST https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
REDHAT https://access.redhat.com/errata/RHSA-2019:2936
REDHAT https://access.redhat.com/errata/RHSA-2019:2937
REDHAT https://access.redhat.com/errata/RHSA-2019:2938
REDHAT https://access.redhat.com/errata/RHSA-2019:2858
MLIST https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
MLIST https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
MLIST https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
MLIST https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
MLIST https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
REDHAT https://access.redhat.com/errata/RHSA-2019:2743
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
MLIST https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
MLIST https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
REDHAT https://access.redhat.com/errata/RHSA-2019:2935
MLIST https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
MLIST https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
MLIST https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E

History of changes

Date Event
2019-10-06 23:15
2019-08-22 10:15
2019-08-21 18:08
2019-08-13 00:15
2019-08-06 12:58
2019-07-29 13:29

New CVE