The vulnerability of the implementation of the polymorphic data typing mechanism in the FasterXML Jackson-databind library allows a attacker to gain full control over the application.

🗓️ 11 Feb 2020 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Jackson polymorphic typing flaw enables remote attacker to gain full control via input handling and Ehcache Jta

Reporter	Title	Published	Views	Family All 158
IBM Security Bulletins	Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2019-17531, CVE-2019-17267, CVE-2019-16942, CVE-2019-16335, CVE-2019-14540)	17 Dec 201909:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020	1 Mar 202212:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies	18 Dec 202115:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities	6 Oct 202112:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs)	1 Feb 202321:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Business Intelligence has addressed multiple vulnerabilities (Q12021)	29 Jan 202118:58	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	13 Aug 202122:15	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox	24 Jul 202017:07	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple CVEs affect IBM Integration Designer	1 Feb 202319:40	–	ibm
IBM Security Bulletins	Security Bulletin: CVEs addressed in latest release of Cloudera Observability	14 Nov 202513:59	–	ibm

Vulners

Node

oracle webcenter_portalMatch12.2.1.3.0

OR

oracle weblogic_serverMatch12.2.1.3.0

OR

red_hat red_hat_jboss_fuseMatch7

OR

oracle retail_customer_management_and_segmentationMatch17.0

OR

oracle retail_customer_management_and_segmentationMatch18.0

OR

red_hat jboss_enterprise_application_platformMatch7.2

OR

fasterxml,_llc jackson-databindRange<2.9.10

OR

red_hat jboss_enterprise_application_platformMatch7

OR

red_hat jboss_data_gridMatch7

OR

red_hat red_hat_process_automation_managerMatch7

OR

apache drillMatch1.16.0

OR

red_hat red_hat_amq_streamsMatch1

OR

red_hat red_hat_single_sign-onMatch7.3

OR

red_hat openshift_container_platformMatch4.3

OR

red_hat red_hat_descision_managerMatch7

OR

oracle webcenter_portalMatch12.2.1.4.0

OR

oracle oracle_goldengate_application_adaptersMatch19.1.0.0.0

OR

canonical ubuntuMatch19.10

Source	Link
access	www.access.redhat.com/errata/RHSA-2019:3200
access	www.access.redhat.com/errata/RHSA-2020:0159
access	www.access.redhat.com/errata/RHSA-2020:0160
access	www.access.redhat.com/errata/RHSA-2020:0161
access	www.access.redhat.com/errata/RHSA-2020:0164
access	www.access.redhat.com/errata/RHSA-2020:0445
github	www.github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10
github	www.github.com/FasterXML/jackson-databind/issues/2460
lists	www.lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
lists	www.lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

05 Mar 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 39.8

CVSS 210

EPSS0.01195

jackson databind polymorphic typing remote attacker full control input handling Ehcache Jta