Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2019-16943

Good to know:

icon
icon

Date: October 1, 2019

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Language: Java

Severity Score

Related Resources (31)

https://www.oracle.com/security-alerts/cpuapr2020.html
https://access.redhat.com/security/cve/CVE-2019-16943
https://nvd.nist.gov/vuln/detail/CVE-2019-16943
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2020.html
https://security-tracker.debian.org/tracker/CVE-2019-16943
https://access.redhat.com/errata/RHSA-2020:0159
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://seclists.org/bugtraq/2019/Oct/6
https://www.debian.org/security/2019/dsa-4542
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://access.redhat.com/errata/RHSA-2020:0160
https://www.oracle.com/security-alerts/cpujul2020.html
https://security.netapp.com/advisory/ntap-20191017-0006/
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
https://access.redhat.com/errata/RHSA-2020:0161
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
https://access.redhat.com/errata/RHSA-2020:0164
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
https://github.com/FasterXML/jackson-databind/issues/2478
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
https://access.redhat.com/errata/RHSA-2020:0445
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16943
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://www.mend.io/vulnerability-database/CVE-2019-16943

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Input Validation

CWE-20

Top Fix

icon

Upgrade Version

Upgrade to version com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us