View all vulnerabilities

CVE-2019-14379

Deserialization of untrusted data in FasterXML jackson-databind

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
com.fasterxml.jackson.core:jackson-databind >= 2.9.0 < 2.9.9.2; com.fasterxml.jackson.core:jackson-databind >= 2.8.0 < 2.8.11.4; com.fasterxml.jackson.core:jackson-databind < 2.7.9.6
Severity
Ecosystem
Publish Date
August 1, 2019
Modified Date
March 15, 2024