Candidate: CVE-2019-14893
PublicDate: 2020-03-02 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
 https://github.com/FasterXML/jackson-databind/issues/2469
 https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317
Description:
 A flaw was discovered in FasterXML jackson-databind in all versions before
 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of
 malicious objects using the xalan JNDI gadget when used in conjunction with
 polymorphic type handling methods such as `enableDefaultTyping()` or when
 @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way
 which ObjectMapper.readValue might instantiate objects from unsafe sources.
 An attacker could use this flaw to execute arbitrary code.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_jackson-databind:
upstream_jackson-databind: released (2.10.0-1)
precise/esm_jackson-databind: DNE
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: DNE
xenial_jackson-databind: not-affected (code not present)
bionic_jackson-databind: needed
disco_jackson-databind: ignored (reached end-of-life)
eoan_jackson-databind: ignored (reached end-of-life)
focal_jackson-databind: not-affected (2.10.0-2)
groovy_jackson-databind: not-affected (2.10.0-2)
hirsute_jackson-databind: not-affected (2.10.0-2)
impish_jackson-databind: not-affected (2.10.0-2)
jammy_jackson-databind: not-affected (2.10.0-2)
devel_jackson-databind: not-affected (2.10.0-2)