Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2019-17531

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

CVSS v3:

  • Severity: Critical
  • Score: 9.8
  • AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

  • Severity: Medium
  • Score: 6.8
  • AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

Software From Fixed in
fasterxml / jackson-databind 2.9.0 2.9.10.1
debian / debian_linux 8.0 8.0.x
redhat / jboss_enterprise_application_platform 7.2 7.2.x
redhat / jboss_enterprise_application_platform 7.3 7.3.x
oracle / banking_platform 2.4.0 2.4.0.x
oracle / jd_edwards_enterpriseone_tools 9.2 9.2.x
oracle / banking_platform 2.4.1 2.4.1.x
oracle / primavera_gateway 16.1 16.1.x
oracle / primavera_gateway 16.2 16.2.x
oracle / banking_platform 2.5.0 2.5.0.x
oracle / weblogic_server 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_portal 12.2.1.3.0 12.2.1.3.0.x
oracle / webcenter_sites 12.2.1.3.0 12.2.1.3.0.x
oracle / jd_edwards_enterpriseone_orchestrator 9.2 9.2.x
oracle / banking_platform 2.6.0 2.6.0.x
oracle / banking_platform 2.6.1 2.6.1.x
oracle / banking_platform 2.6.2 2.6.2.x
oracle / weblogic_server 12.2.1.4.0 12.2.1.4.0.x
oracle / webcenter_sites 12.2.1.4.0 12.2.1.4.0.x
oracle / webcenter_portal 12.2.1.4.0 12.2.1.4.0.x
oracle / communications_billing_and_revenue_management 12.0.0.3.0 12.0.0.3.0.x
oracle / communications_billing_and_revenue_management 7.5.0.23.0 7.5.0.23.0.x
oracle / trace_file_analyzer 19c 19c.x
oracle / trace_file_analyzer 18c 18c.x
oracle / trace_file_analyzer 12.2.0.1 12.2.0.1.x
oracle / siebel_engineering_-_installer_&_deployment - 2.20.5.x
oracle / retail_sales_audit 14.1 14.1.x
oracle / retail_merchandising_system 15.0.3 15.0.3.x
oracle / retail_merchandising_system 16.0.2 16.0.2.x
oracle / retail_merchandising_system 16.0.3 16.0.3.x
oracle / global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2 13.9.4.2.2.x
oracle / global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0 12.2.1.4.0.x
oracle / global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0 12.2.1.3.0.x
oracle / banking_platform 2.7.0 2.7.0.x
oracle / banking_platform 2.7.1 2.7.1.x
oracle / banking_platform 2.9.0 2.9.0.x
oracle / primavera_gateway 19.12.0 19.12.0.x
oracle / primavera_gateway 18.8.0 18.8.8.x
oracle / primavera_gateway 17.7 17.12.6.x
oracle / communications_evolved_communications_application_server 7.1 7.1.x
oracle / communications_calendar_server 8.0.0.3.0 8.0.0.3.0.x
oracle / communications_calendar_server 8.0.0.2.0 8.0.0.2.0.x
oracle / goldengate_application_adapters 19.1.0.0.0 19.1.0.0.0.x
oracle / communications_cloud_native_core_network_slice_selection_function 1.2.1 1.2.1.x
com.fasterxml.jackson.core / jackson-databind - 2.9.10.1
fasterxml / jackson-databind 2.0.0 2.6.7.3
fasterxml / jackson-databind 2.7.0 2.8.11.5