CVE-2019-12384

jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

FasterXML jackson-databind versión 2.x anterior a 2.9.9.1, podría permitir a los atacantes dirigir una variedad de impactos al aprovechar un fallo al bloquear la deserialización polimórfica de la clase core-logback. Dependiendo del contenido del classpath, la ejecución de código remota puede ser posible.

A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-05-27 CVE Reserved
2019-06-24 CVE Published
2019-07-24 First Exploit
2024-08-04 CVE Updated
2024-11-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (49)

URL	Tag	Source
https://blog.doyensec.com/2019/07/22/jackson-gadgets.html	Third Party Advisory
https://doyensec.com/research.html	Third Party Advisory
https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html	Mailing List
https://seclists.org/bugtraq/2019/Oct/6	Mailing List
https://security.netapp.com/advisory/ntap-20190703-0002	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

URL	Date	SRC
https://github.com/jas502n/CVE-2019-12384	2019-07-24
https://github.com/MagicZer0/Jackson_RCE-CVE-2019-12384	2019-08-01

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:1820	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2720	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2858	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2935	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2936	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2937	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2938	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2998	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3149	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3200	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3292	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3297	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3901	2023-11-07
https://access.redhat.com/errata/RHSA-2019:4352	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC	2023-11-07
https://www.debian.org/security/2019/dsa-4542	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-12384	2024-08-26
https://bugzilla.redhat.com/show_bug.cgi?id=1725807	2024-08-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.0.0 < 2.6.7.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.3"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.7.0 < 2.7.9.6 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.6"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.8.0 < 2.8.11.4 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.4"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.9.0 < 2.9.9.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.9.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.4 Search vendor "Redhat" for product "Enterprise Linux" and version "7.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.5 Search vendor "Redhat" for product "Enterprise Linux" and version "7.5"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.6 Search vendor "Redhat" for product "Enterprise Linux" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.7 Search vendor "Redhat" for product "Enterprise Linux" and version "7.7"		-		Affected