Lucene search

K
redhatcveRedhat.comRH:CVE-2019-16335
HistoryAug 22, 2021 - 1:15 p.m.

CVE-2019-16335

2021-08-2213:15:03
redhat.com
access.redhat.com
44

EPSS

0.004

Percentile

74.0%

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Mitigation

This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability.

A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to <https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true&gt;