-
Bug
-
Resolution: Done
-
Medium
-
None
-
El Alto Release
-
None
CMSO Security/Vulnerability CVE-2019- 12814 jackson- databind
A Polymorphic Typing issue was discovered in FasterXML jackson- databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. The jackson- databind package is vulnerable to Information Exposure via Deserialization of Untrusted Data. The validateSubType() method in the SubTypeValidator class allows untrusted Java objects, such as org.jdom.transform.XSLTransformer and o rg.jdom2.transform.XSLTransformer to be deserialized. A remote attacker can exploit this vulnerability by uploading a malicious serialized object to an affected JSON endpoint which, upon deserialization, may allow the attacker to exfiltrate sensitive information from arbitrary files on the server.
com. fasterxml.jackson. core | jackson- databind | 2.9.9 | CVE-2019- 12814 | Ineffective |
- clones
-
OPTFRA-624 CMSO Security/Vulnerability CVE-2019- 12384 jackson- databind
- Closed
- relates to
-
OPTFRA-641 Perform Software Composition Analysis - Vulnerability tables
- Closed
- mentioned in
-
Page Loading...