CVE - CVE-2019-12384

CVE-ID
CVE-2019-12384	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20191007 [SECURITY] [DSA 4542-1] jackson-databind security update URL:https://seclists.org/bugtraq/2019/Oct/6 CONFIRM:https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html URL:https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html CONFIRM:https://security.netapp.com/advisory/ntap-20190703-0002/ URL:https://security.netapp.com/advisory/ntap-20190703-0002/ DEBIAN:DSA-4542 URL:https://www.debian.org/security/2019/dsa-4542 FEDORA:FEDORA-2019-99ff6aa32c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/ FEDORA:FEDORA-2019-ae6a703b8f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/ FEDORA:FEDORA-2019-fb23eccc03 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/ MISC:https://blog.doyensec.com/2019/07/22/jackson-gadgets.html URL:https://blog.doyensec.com/2019/07/22/jackson-gadgets.html MISC:https://doyensec.com/research.html URL:https://doyensec.com/research.html MISC:https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad URL:https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad MISC:https://www.oracle.com/security-alerts/cpuapr2020.html URL:https://www.oracle.com/security-alerts/cpuapr2020.html MISC:https://www.oracle.com/security-alerts/cpujan2020.html URL:https://www.oracle.com/security-alerts/cpujan2020.html MISC:https://www.oracle.com/security-alerts/cpujul2020.html URL:https://www.oracle.com/security-alerts/cpujul2020.html MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html URL:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST:[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities URL:https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E MLIST:[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update URL:https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html MLIST:[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities URL:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E MLIST:[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities URL:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E MLIST:[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities URL:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E MLIST:[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix URL:https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E MLIST:[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html URL:https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E MLIST:[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html URL:https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E MLIST:[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204 URL:https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E MLIST:[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E MLIST:[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 URL:https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E REDHAT:RHSA-2019:1820 URL:https://access.redhat.com/errata/RHSA-2019:1820 REDHAT:RHSA-2019:2720 URL:https://access.redhat.com/errata/RHSA-2019:2720 REDHAT:RHSA-2019:2858 URL:https://access.redhat.com/errata/RHSA-2019:2858 REDHAT:RHSA-2019:2935 URL:https://access.redhat.com/errata/RHSA-2019:2935 REDHAT:RHSA-2019:2936 URL:https://access.redhat.com/errata/RHSA-2019:2936 REDHAT:RHSA-2019:2937 URL:https://access.redhat.com/errata/RHSA-2019:2937 REDHAT:RHSA-2019:2938 URL:https://access.redhat.com/errata/RHSA-2019:2938 REDHAT:RHSA-2019:2998 URL:https://access.redhat.com/errata/RHSA-2019:2998 REDHAT:RHSA-2019:3149 URL:https://access.redhat.com/errata/RHSA-2019:3149 REDHAT:RHSA-2019:3200 URL:https://access.redhat.com/errata/RHSA-2019:3200 REDHAT:RHSA-2019:3292 URL:https://access.redhat.com/errata/RHSA-2019:3292 REDHAT:RHSA-2019:3297 URL:https://access.redhat.com/errata/RHSA-2019:3297 REDHAT:RHSA-2019:3901 URL:https://access.redhat.com/errata/RHSA-2019:3901 REDHAT:RHSA-2019:4352 URL:https://access.redhat.com/errata/RHSA-2019:4352
Assigning CNA
MITRE Corporation
Date Record Created
20190527	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190527)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)