CVE-2019-14893 — Polymorphic deserialization of malicious object in jackson-databind

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

How to fix CVE-2019-14893

To remediate CVE-2019-14893, upgrade the affected package to a fixed version below.

—upgrade to 2.10.0-1 or later
—upgrade to 2.9.10 or later

Is CVE-2019-14893 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.10.0-1
>= 2.9.0, < 2.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-14893
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-14893
WEBaccess.redhat.com/errata/RHSA-2020:0729
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893