Miggo Logo

CVE-2019-12814: Deserialization of untrusted data in FasterXML jackson-databind

5.9

CVSS Score
3.0

Basic Information

EPSS Score
0.95068%
Published
7/17/2019
Updated
3/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven>= 2.9.0, < 2.9.9.12.9.9.1
com.fasterxml.jackson.core:jackson-databindmaven>= 2.8.0, < 2.8.11.42.8.11.4
com.fasterxml.jackson.core:jackson-databindmaven>= 2.7.0, < 2.7.9.62.7.9.6
com.fasterxml.jackson.core:jackson-databindmaven>= 2.0.0, < 2.6.7.32.6.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch for CVE-2019-12814 modifies SubTypeValidator.java to block certain classes from being deserialized, indicating these classes were previously vulnerable. The deserialization process, potentially involving the validateSubType() method or similar, is critical in exploiting this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* Polymorp*i* Typin* issu* w*s *is*ov*r** in **st*rXML j**kson-**t**in* *.x t*rou** *.*.*. W**n ****ult Typin* is *n**l** (*it**r *lo**lly or *or * sp**i*i* prop*rty) *or *n *xt*rn*lly *xpos** JSON *n*point *n* t** s*rvi** **s J*OM *.x or *.x j*r in

Reasoning

T** p*t** *or *V*-****-***** mo*i*i*s `Su*Typ*V*li**tor.j*v*` to *lo*k **rt*in *l*ss*s *rom **in* **s*ri*liz**, in*i**tin* t**s* *l*ss*s w*r* pr*viously vuln*r**l*. T** **s*ri*liz*tion pro**ss, pot*nti*lly involvin* t** `v*li**t*Su*Typ*()` m*t*o* or