Candidate: CVE-2019-16943
PublicDate: 2019-10-01 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
 https://github.com/FasterXML/jackson-databind/issues/2478
 https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Description:
 A Polymorphic Typing issue was discovered in FasterXML jackson-databind
 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or
 for a specific property) for an externally exposed JSON endpoint and the
 service has the p6spy (3.8.6) jar in the classpath, and an attacker can
 find an RMI service endpoint to access, it is possible to make the service
 execute a malicious payload. This issue exists because of
 com.p6spy.engine.spy.P6DataSource mishandling.
Ubuntu-Description:
 It was discovered that Jackson Databind incorrectly handled 
 deserialization. An attacker could possibly use this issue to execute
 arbitrary code or other unspecified impact.
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_jackson-databind:
upstream_jackson-databind: needs-triage
precise/esm_jackson-databind: DNE
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: DNE
xenial_jackson-databind: ignored (end of standard support, was needs-triage)
bionic_jackson-databind: needs-triage
disco_jackson-databind: ignored (reached end-of-life)
eoan_jackson-databind: ignored (reached end-of-life)
focal_jackson-databind: not-affected (2.10.0-2)
groovy_jackson-databind: not-affected (2.10.0-2)
hirsute_jackson-databind: not-affected (2.10.0-2)
impish_jackson-databind: not-affected (2.10.0-2)
jammy_jackson-databind: not-affected (2.10.0-2)
devel_jackson-databind: not-affected (2.10.0-2)