CVE-2019-16942
high-risk
Published 2019-10-01
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Do I need to act?
-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: ec1adf8c72625fd51b30105afad7464c4332d542, ba9ac61920a4391568f4959e399a25833eae9cf6, db82f32714c083da3c31267352f0dcc65fd371f5
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Oncommand Api Services
References (58)
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3901
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445
Issue Tracking
https://issues.apache.org/jira/browse/GEODE-7255
and 38 more references
61
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
27/34 · High