-
Bug
-
Resolution: Done
-
Medium
-
None
-
El Alto Release
-
None
CMSO Security/Vulnerability CVE-2019- 12384 jackson- databind
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. The jackson-databind package is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTy peValidator class allows untrusted Java objects, such as ch. qos.logback.core.db.DriverManagerConnectionSource, to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
com. fasterxml.jackson. core | jackson- databind | 2.9.9 | CVE-2019- 12384 | Ineffective |
- clones
-
OPTFRA-623 CMSO Security/Vulnerability SONATYPE- 2017-0312 jackson- databind
- Closed
- is cloned by
-
OPTFRA-625 CMSO Security/Vulnerability CVE-2019- 12814 jackson- databind
- Closed
- relates to
-
OPTFRA-641 Perform Software Composition Analysis - Vulnerability tables
- Closed
- mentioned in
-
Page Loading...