CVE-2019-12814
moderate-risk
Published 2019-06-19
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Do I need to act?
!
18.1% chance of exploitation in next 30 days
EPSS score — higher than 82% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (2)
References (110)
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2935
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2936
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2937
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2938
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3044
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3045
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3046
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3050
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3200
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3292
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3297
Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2341
and 90 more references
38
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
13/34 · Low
Exposure
7/34 · Low