CVE-2019-16943

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://access.redhat.com/errata/RHSA-2020:0159	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445	Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2478	Patch Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6	Issue Tracking Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0006/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4542	Mailing List Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445	Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2478	Patch Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6	Issue Tracking Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0006/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4542	Mailing List Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:31:::::::*

Configuration 4 (hide)

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*

OR	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*

Configuration 5 (hide)

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*

cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.4.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.6.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.6.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_calendar_server:8.0.0.2.0:::::::*
	cpe:2.3:a:oracle:communications_calendar_server:8.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
	cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
	cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway:16.1:::::::*
	cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*
	cpe:2.3:a:oracle:primavera_gateway:19.12.0:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:16.0.2:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:14.1:::::::*
	cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::
	cpe:2.3:a:oracle:trace_file_analyzer:12.2.0.1:::::::*
	cpe:2.3:a:oracle:trace_file_analyzer:18c:::::::*
	cpe:2.3:a:oracle:trace_file_analyzer:19c:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*

Configuration 7 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager::::::linux::*
	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:service_level_manager:-:::::::*
	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*

History

21 Nov 2024, 04:31

Information

Published : 2019-10-01 17:15

Updated : 2024-11-21 04:31

NVD link : CVE-2019-16943

Mitre link : CVE-2019-16943

CVE.ORG link : CVE-2019-16943

JSON object : View

Products Affected

oracle

jd_edwards_enterpriseone_tools
retail_sales_audit
siebel_engineering_-_installer_\&_deployment
weblogic_server
jd_edwards_enterpriseone_orchestrator
webcenter_portal
webcenter_sites
communications_evolved_communications_application_server
retail_merchandising_system
communications_billing_and_revenue_management
communications_calendar_server
primavera_gateway
global_lifecycle_management_nextgen_oui_framework
goldengate_application_adapters
banking_platform
trace_file_analyzer
communications_cloud_native_core_network_slice_selection_function

debian

debian_linux

netapp

active_iq_unified_manager
oncommand_api_services
steelstore_cloud_integrated_storage
service_level_manager
oncommand_workflow_automation

redhat

enterprise_linux_server
jboss_enterprise_application_platform

fasterxml

jackson-databind

fedoraproject

fedora

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2019-16943", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-10-01T17:15:10.400", "references": [{"url": "https://access.redhat.com/errata/RHSA-2020:0159", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0160", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0161", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0164", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0445", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2478", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/", "source": "cve@mitre.org"}, {"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Oct/6", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20191017-0006/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2019/dsa-4542", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0159", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0160", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0161", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0164", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2020:0445", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/FasterXML/jackson-databind/issues/2478", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/bugtraq/2019/Oct/6", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20191017-0006/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2019/dsa-4542", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de escritura polim\u00f3rfica en FasterXML jackson-databind versiones 2.0.0 hasta 2.9.10. Cuando la Escritura Predeterminada est\u00e1 habilitada (globalmente o para una propiedad espec\u00edfica) para un end point JSON expuesto externamente y el servicio posee el jar p6spy (versi\u00f3n 3.8.6) en el classpath, y un atacante puede encontrar un end point del servicio RMI para acceder, es posible lograr que el servicio ejecute una carga maliciosa. Este problema se presenta debido al manejo inapropiado de com.p6spy.engine.spy.P6DataSource."}], "lastModified": "2024-11-21T04:31:23.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7036DA13-110D-40B3-8494-E361BBF4AFCD", "versionEndExcluding": "2.6.7.3", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F83B193-74CF-459A-8055-AE0F033D5BCB", "versionEndExcluding": "2.8.11.5", "versionStartIncluding": "2.7.0"}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18324CA7-89A0-4212-B603-E9C3DD998219", "versionEndExcluding": "2.9.10.1", "versionStartIncluding": "2.9.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B0FEFCDD-A212-4525-B449-2C4A00A0D2E9"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4FF66F7-10C8-4A1C-910A-EF7D12A4284C"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35AD0C07-9688-4397-8D45-FBB88C0F0C11"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8972497F-6E24-45A9-9A18-EB0E842CB1D4"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "400509A8-D6F2-432C-A2F1-AD5B8778D0D9"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "132CE62A-FBFC-4001-81EC-35D81F73AF48"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB9FC9AB-1070-420F-870E-A5EC43A924A4"}, {"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "790A89FD-6B86-49AE-9B4F-AE7262915E13"}, {"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E39D442D-1997-49AF-8B02-5640BE2A26CC"}, {"criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "559579F1-3975-45C5-9F62-2F0A5AF13E84"}, {"criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50882F8D-9740-4CC0-B2C6-CCE4F6D90C7C"}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADE6EF8F-1F05-429B-A916-76FDB20CEB81"}, {"criteria": "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "987811D5-DA5E-493D-8709-F9231A84E5F9"}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08A37FE9-B626-48C3-8FE0-D4F1A559E0B8"}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6495B29F-3DA2-4628-9CC0-39617871F3AD"}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A6FFB5C-EB44-499F-BE81-24ED2B1F201A"}, {"criteria": "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7BE0590-31BD-4FCD-B50E-A5F86196F99E"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "989598A3-7012-4F57-B172-02404E20D16D"}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C209FAC-B7DE-42DC-AC9C-BD3ADA44D0B7", "versionEndIncluding": "17.12.6", "versionStartIncluding": "17.7"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "597495A7-FE17-4B31-804D-B28C2B872B4D", "versionEndIncluding": "18.8.8", "versionStartIncluding": "18.8.0"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DADAD14D-4836-4C74-A474-B8A044EED2EB"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0513B305-97EF-4609-A82E-D0CDFF9925BA"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B201A85E-1310-46B8-8A3B-FF7675F84E09"}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7C9BB48-50B2-4735-9E2F-E492C708C36D"}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A848888-0A4A-4B6D-8176-9A2685B37AC2"}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8383028-B719-41FD-9B6A-71F8EB4C5F8D"}, {"criteria": "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DA6E92C-AC3B-40CF-96AE-22CD8769886F"}, {"criteria": "cpe:2.3:a:oracle:siebel_engineering_-_installer_\\&_deployment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A83C7FAE-9848-427E-88F8-BFA24134A84B", "versionEndIncluding": "2.20.5"}, {"criteria": "cpe:2.3:a:oracle:trace_file_analyzer:12.2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDB52969-7705-47CF-BD55-5632C56A7FD1"}, {"criteria": "cpe:2.3:a:oracle:trace_file_analyzer:18c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67107890-A521-47E7-BC10-00635C85BEC4"}, {"criteria": "cpe:2.3:a:oracle:trace_file_analyzer:19c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B3C1811-E651-4975-A1AE-BCE3377D51A0"}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728"}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103"}, {"criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A"}, {"criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*", "vulnerable": true, "matchCriteriaId": "9FBC1BD0-FF12-4691-8751-5F245D991989", "versionStartIncluding": "7.3"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "BD075607-09B7-493E-8611-66D041FFDA62", "versionStartIncluding": "7.3"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB", "versionStartIncluding": "9.5"}, {"criteria": "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13"}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3"}, {"criteria": "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7081652A-D28B-494E-94EF-CA88117F23EE"}, {"criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

9.8 /10