5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-12814

GHSA ID

GHSA-cmfg-87vq-g5g4

EPSS Score

0.95068%

CWE

CWE-502

Published

7/17/2019

Updated

3/15/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-12814

CVE-2019-12814:
Deserialization of untrusted data in FasterXML jackson-databind

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-12814

GHSA ID

GHSA-cmfg-87vq-g5g4

EPSS Score

0.95068%

CWE

CWE-502

Published

7/17/2019

Updated

3/15/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.9.0, < 2.9.9.1	2.9.9.1
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.8.0, < 2.8.11.4	2.8.11.4
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.7.0, < 2.7.9.6	2.7.9.6
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.0.0, < 2.6.7.3	2.6.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch for CVE-2019-12814 modifies SubTypeValidator.java to block certain classes from being deserialized, indicating these classes were previously vulnerable. The deserialization process, potentially involving the validateSubType() method or similar, is critical in exploiting this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Polymorp*i* Typin* issu* w*s *is*ov*r** in **st*rXML j**kson-**t**in* *.x t*rou** *.*.*. W**n ****ult Typin* is *n**l** (*it**r *lo**lly or *or * sp**i*i* prop*rty) *or *n *xt*rn*lly *xpos** JSON *n*point *n* t** s*rvi** **s J*OM *.x or *.x j*r in

Reasoning

T** p*t** *or *V*-****-***** mo*i*i*s `Su*Typ*V*li**tor.j*v*` to *lo*k **rt*in *l*ss*s *rom **in* **s*ri*liz**, in*i**tin* t**s* *l*ss*s w*r* pr*viously vuln*r**l*. T** **s*ri*liz*tion pro**ss, pot*nti*lly involvin* t** `v*li**t*Su*Typ*()` m*t*o* or

5.9

Basic Information

Concerned about an active attack path?

CVE-2019-12814: Deserialization of untrusted data in FasterXML jackson-databind

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-12814:
Deserialization of untrusted data in FasterXML jackson-databind

Vulnerability Intelligence
Miggo AI