CVE-2019-14439

Published Jul 30, 2019
Last updated a year ago
CVSS high 7.5
Overview

Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Source: cve@mitre.org
NVD status: Modified
Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH
CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N
Weaknesses

nvd@nist.gov: CWE-502
Hype score: Not currently trending
Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7036DA13-110D-40B3-8494-E361BBF4AFCD",
            "versionEndExcluding": "2.6.7.3",
            "versionStartIncluding": "2.0.0"
          },
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "89660FC3-9198-414C-B89D-C61A4438BA3B",
            "versionEndExcluding": "2.7.9.6",
            "versionStartIncluding": "2.7.0"
          },
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5DB8A2D4-0FDE-4216-896B-52824106B97B",
            "versionEndExcluding": "2.8.11.4",
            "versionStartIncluding": "2.8.0"
          },
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "04641592-DAF4-47BB-A9DE-FC4C84A20401",
            "versionEndExcluding": "2.9.9.2",
            "versionStartIncluding": "2.9.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419"
          },
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "235DC57F-22B8-4219-9499-7D005D90A654"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F4FF66F7-10C8-4A1C-910A-EF7D12A4284C"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "35AD0C07-9688-4397-8D45-FBB88C0F0C11"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8972497F-6E24-45A9-9A18-EB0E842CB1D4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "400509A8-D6F2-432C-A2F1-AD5B8778D0D9"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A9317C01-22AA-452B-BBBF-5FAFFFB8BEA4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4534CF9-D9FD-4936-9D8C-077387028A05"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D60384BD-284C-4A68-9EEF-0FAFDF0C21F3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FCA44E38-EB8C-4E2D-8611-B201F47520E9"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FD945A04-174C-46A2-935D-4F92631D1018"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "51433748-DED0-416D-8BFE-F3493E13772E",
            "versionEndIncluding": "8.0.8",
            "versionStartIncluding": "8.0.2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F6455EB1-C741-45E8-A53E-E7AD7A5D00EE",
            "versionEndExcluding": "11.2.0.3.23"
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BFD43191-E67F-4D1B-967B-3C7B20331945",
            "versionEndExcluding": "12.2.0.1.19",
            "versionStartIncluding": "12.2.0.1.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "062C588A-CBBA-470F-8D11-2F961922E927",
            "versionEndExcluding": "13.9.4.2.1",
            "versionStartIncluding": "13.9.4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E074FB89-051D-4E67-BFF9-5D3880F4E8EA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:13.9.4.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3F71F9A4-39B3-4027-87DF-BF47DEDC9357"
          },
          {
            "criteria": "cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F4E7F2AA-B851-4D85-9895-2CDD6BE9FCB4",
            "versionEndExcluding": "19.1.0.0.1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "989598A3-7012-4F57-B172-02404E20D16D"
          },
          {
            "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6951D244-845C-4BF2-AC75-F226B0C39C77",
            "versionEndIncluding": "17.12",
            "versionStartIncluding": "17.7"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6CBFA960-D242-43ED-8D4C-A60F01B70740"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DADAD14D-4836-4C74-A474-B8A044EED2EB"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0513B305-97EF-4609-A82E-D0CDFF9925BA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "99365245-49E8-4616-BD24-CE564AC1D17E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A7FBF5C7-EC73-4CE4-8CB7-E9CF5705DB25"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "11DA6839-849D-4CEF-85F3-38FE75E07183"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BCE78490-A4BE-40BD-8C72-0A4526BBD4A4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A"
          },
          {
            "criteria": "cpe:2.3:a:oracle:siebel_engineering_-_installer_\\&_deployment:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "25993ED6-D4C7-4B68-9F87-274B757A88CC",
            "versionEndIncluding": "19.8"
          },
          {
            "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2F10FB4D-A29B-42B4-B70E-EB82A93F2218",
            "versionEndIncluding": "19.10"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]
Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References
