Lucene search

K
ubuntucveUbuntu.comUB:CVE-2019-16942
HistoryOct 01, 2019 - 12:00 a.m.

CVE-2019-16942

2019-10-0100:00:00
ubuntu.com
ubuntu.com
17
polymorphic typing
fasterxml jackson-databind
cve-2019-16942
default typing
commons-dbcp
rmi service
sharedpooldatasource
peruserpooldatasource

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.7%

A Polymorphic Typing issue was discovered in FasterXML jackson-databind
2.0.0 through 2.9.10. When Default Typing is enabled (either globally or
for a specific property) for an externally exposed JSON endpoint and the
service has the commons-dbcp (1.4) jar in the classpath, and an attacker
can find an RMI service endpoint to access, it is possible to make the
service execute a malicious payload. This issue exists because of
org.apache.commons.dbcp.datasources.SharedPoolDataSource and
org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchjackson-databind<ย anyUNKNOWN
ubuntu14.04noarchjackson-databind<ย anyUNKNOWN
ubuntu16.04noarchjackson-databind<ย 2.4.2-3ubuntu0.1~esm2UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.7%