CVE-2019-16943

Priority
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind
2.0.0 through 2.9.10. When Default Typing is enabled (either globally or
for a specific property) for an externally exposed JSON endpoint and the
service has the p6spy (3.8.6) jar in the classpath, and an attacker can
find an RMI service endpoint to access, it is possible to make the service
execute a malicious payload. This issue exists because of
com.p6spy.engine.spy.P6DataSource mishandling.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):not-affected (2.10.0-2)
More Information

Updated: 2020-04-24 03:54:29 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)