Bug#930750: jackson-databind: CVE-2019-12384 CVE-2019-12814
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 19 21:25:25 BST 2019
Source: jackson-databind
Version: 2.9.8-2
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for jackson-databind.
CVE-2019-12384[0]:
| Another issue (exploitable using polymorphic deserialization), cf.
| [2].
CVE-2019-12814[1]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.x through 2.9.9. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an
| attacker can send a specifically crafted JSON message that allows them
| to read arbitrary local files on the server.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
[1] https://security-tracker.debian.org/tracker/CVE-2019-12814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814
[2] https://github.com/FasterXML/jackson-databind/issues/2334
[3] https://github.com/FasterXML/jackson-databind/issues/2341
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list