Home

CVE-2019-14892

Description

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.873

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are fixed in Jackson-databind 2.6.7.3Windows
Multiple vulnerabilities are fixed in Jackson-databind 2.8.11.5Windows
Vulnerabilities CVE-2019-17267,CVE-2019-14893,CVE-2019-14892,CVE-2019-16335,CVE-2019-14540 are fixed in Jackson-databind 2.9.10Windows
Multiple Vulnerabilities are affected in Red Hat JBoss Data Grid 7.0.0Windows
Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 7.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.5Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.4Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.0.6Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.2Windows
Multiple vulnerabilities are fixed in Jackson-databind for Linux 2.6.7.3Linux
Multiple vulnerabilities are fixed in Jackson-databind for Linux 2.8.11.5Linux
Vulnerabilities CVE-2019-17267,CVE-2019-14893,CVE-2019-14892,CVE-2019-16335,CVE-2019-14540 are fixed in Jackson-databind for Linux 2.9.10Linux
Deserialization of Untrusted Data Vulnerability (CVE-2019-14892)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234