Polymorphic Deserialization Vulnerability in Jackson Databind
CVE-2019-14892
7.5HIGH
Summary
A vulnerability exists in Jackson Databind versions prior to 2.9.10, 2.8.11.5, and 2.6.7.3, which allows for polymorphic deserialization of untrusted data. This flaw can be exploited using commons-configuration JNDI classes, potentially enabling an attacker to dynamically execute arbitrary code on the affected system. Proper validation of incoming data and restrictive deserialization practices are crucial for mitigating this risk.
Affected Version(s)
jackson-databind Versions before 2.9.10
jackson-databind Versions before 2.8.11.5
jackson-databind Versions before 2.6.7.3
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved