Candidate: CVE-2019-12384
PublicDate: 2019-06-24 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
 https://github.com/FasterXML/jackson-databind/issues/2334
 https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
Description:
 FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have
 a variety of impacts by leveraging failure to block the logback-core class
 from polymorphic deserialization. Depending on the classpath content,
 remote code execution may be possible.
Ubuntu-Description:
 It was discovered that Jackson Databind incorrectly handled 
 deserialization. An attacker could possibly use this issue to execute
 arbitrary code or other unspecified impact.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_jackson-databind:
upstream_jackson-databind: needs-triage
precise/esm_jackson-databind: DNE
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: DNE
xenial_jackson-databind: ignored (end of standard support, was needed)
bionic_jackson-databind: needed
cosmic_jackson-databind: ignored (reached end-of-life)
disco_jackson-databind: ignored (reached end-of-life)
eoan_jackson-databind: released (2.9.8-3)
focal_jackson-databind: released (2.9.8-3)
groovy_jackson-databind: released (2.9.8-3)
hirsute_jackson-databind: released (2.9.8-3)
impish_jackson-databind: released (2.9.8-3)
jammy_jackson-databind: released (2.9.8-3)
devel_jackson-databind: released (2.9.8-3)