Lucene search

K
cve[email protected]CVE-2019-12814
HistoryJun 19, 2019 - 2:15 p.m.

CVE-2019-12814

2019-06-1914:15:10
CWE-502
web.nvd.nist.gov
216
cve-2019-12814
fasterxml
jackson-databind
polymorphic typing
json
nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.015

Percentile

87.2%

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Affected configurations

NVD
Node
fasterxmljackson-databindRange2.0.0–2.6.7.3
OR
fasterxmljackson-databindRange2.7.0–2.7.9.6
OR
fasterxmljackson-databindRange2.8.0–2.8.11.4
OR
fasterxmljackson-databindRange2.9.0–2.9.9.2
Node
debiandebian_linuxMatch8.0

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.015

Percentile

87.2%