Lucene search

[email protected]NVD:CVE-2019-17531

HistoryOct 12, 2019 - 9:15 p.m.

CVE-2019-17531

2019-10-1221:15:08

CWE-502

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.2%

JSON

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Affected configurations

NVD

Node

fasterxmljackson-databindRange2.0.0–2.6.7.3

fasterxmljackson-databindRange2.7.0–2.8.11.5

fasterxmljackson-databindRange2.9.0–2.9.10.1

Node

debiandebian_linuxMatch8.0

Node

redhatjboss_enterprise_application_platformMatch7.2

redhatjboss_enterprise_application_platformMatch7.3

AND

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_serverMatch8.0

Node

oraclebanking_platformMatch2.4.0

oraclebanking_platformMatch2.4.1

oraclebanking_platformMatch2.5.0

oraclebanking_platformMatch2.6.0

oraclebanking_platformMatch2.6.1

oraclebanking_platformMatch2.6.2

oraclebanking_platformMatch2.7.0

oraclebanking_platformMatch2.7.1

oraclebanking_platformMatch2.9.0

oraclecommunications_billing_and_revenue_managementMatch7.5.0.23.0

oraclecommunications_billing_and_revenue_managementMatch12.0.0.3.0

oraclecommunications_calendar_serverMatch8.0.0.2.0

oraclecommunications_calendar_serverMatch8.0.0.3.0

oraclecommunications_cloud_native_core_network_slice_selection_functionMatch1.2.1

oraclecommunications_evolved_communications_application_serverMatch7.1

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch12.2.1.3.0

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch12.2.1.4.0

oracleglobal_lifecycle_management_nextgen_oui_frameworkMatch13.9.4.2.2

oraclegoldengate_application_adaptersMatch19.1.0.0.0

oraclejd_edwards_enterpriseone_orchestratorMatch9.2

oraclejd_edwards_enterpriseone_toolsMatch9.2

oracleprimavera_gatewayRange17.7–17.12.6

oracleprimavera_gatewayRange18.8.0–18.8.8

oracleprimavera_gatewayMatch16.1

oracleprimavera_gatewayMatch16.2

oracleprimavera_gatewayMatch19.12.0

oracleretail_merchandising_systemMatch15.0.3

oracleretail_merchandising_systemMatch16.0.2

oracleretail_merchandising_systemMatch16.0.3

oracleretail_sales_auditMatch14.1

oraclesiebel_engineering_-_installer_\&_deploymentRange≤2.20.5

oracletrace_file_analyzerMatch12.2.0.1

oracletrace_file_analyzerMatch18c

oracletrace_file_analyzerMatch19c

oraclewebcenter_portalMatch12.2.1.3.0

oraclewebcenter_portalMatch12.2.1.4.0

oraclewebcenter_sitesMatch12.2.1.3.0

oraclewebcenter_sitesMatch12.2.1.4.0

oracleweblogic_serverMatch12.2.1.3.0

oracleweblogic_serverMatch12.2.1.4.0

Node

netapponcommand_workflow_automationMatch-

netappsteelstore_cloud_integrated_storageMatch-

References

access.redhat.com/errata/RHSA-2019:4192

access.redhat.com/errata/RHSA-2020:0159

access.redhat.com/errata/RHSA-2020:0160

access.redhat.com/errata/RHSA-2020:0161

access.redhat.com/errata/RHSA-2020:0164

access.redhat.com/errata/RHSA-2020:0445

github.com/FasterXML/jackson-databind/issues/2498

lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5%40%3Ccommits.pulsar.apache.org%3E

lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

lists.debian.org/debian-lts-announce/2019/12/msg00013.html

medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

security.netapp.com/advisory/ntap-20191024-0005/

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2020.html

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.2%

JSON

Related for NVD:CVE-2019-17531

debiancve1 nessus12 redhat13 osv6 symantec1 prion1 ibm28 ubuntucve1 veracode1 cvelist1 redhatcve1 github1 cve1 debian1 f51 openvas3 almalinux1 oraclelinux1 cloudfoundry1 rocky1 qualysblog1 mageia1 ubuntu1 hp1 oracle6