CMSO Security/Vulnerability CVE-2019- 12814 jackson- databind

A Polymorphic Typing issue was discovered in FasterXML jackson- databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. The jackson- databind package is vulnerable to Information Exposure via Deserialization of Untrusted Data. The validateSubType() method in the SubTypeValidator class allows untrusted Java objects, such as org.jdom.transform.XSLTransformer and o rg.jdom2.transform.XSLTransformer to be deserialized. A remote attacker can exploit this vulnerability by uploading a malicious serialized object to an affected JSON endpoint which, upon deserialization, may allow the attacker to exfiltrate sensitive information from arbitrary files on the server.