9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14893

GHSA ID

GHSA-qmqc-x3r4-6v39

EPSS Score

0.71024%

CWE

CWE-502

Published

5/15/2020

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14893

CVE-2019-14893: Polymorphic deserialization of malicious object in jackson-databind

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14893

GHSA ID

GHSA-qmqc-x3r4-6v39

EPSS Score

0.71024%

CWE

CWE-502

Published

5/15/2020

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.9.0, < 2.9.10	2.9.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch modifies SubTypeValidator to include 'org.apache.xalan.lib.sql.JNDIConnectionPool' in the list of non-deserializable classes, indicating that the vulnerability is related to the deserialization process handled by this validator. The method validateSubType() is a likely candidate for being directly related to this process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *is*ov*r** in **st*rXML j**kson-**t**in* in *ll v*rsions ***or* *.*.** *n* *.**.*, w**r* it woul* p*rmit polymorp*i* **s*ri*liz*tion o* m*li*ious o*j**ts usin* t** x*l*n JN*I *****t w**n us** in *onjun*tion wit* polymorp*i* typ* **n*lin* m

Reasoning

T** p*t** mo*i*i*s `Su*Typ*V*li**tor` to in*lu** 'or*.*p****.x*l*n.li*.sql.JN*I*onn**tionPool' in t** list o* non-**s*ri*liz**l* *l*ss*s, in*i**tin* t**t t** vuln*r**ility is r*l*t** to t** **s*ri*liz*tion `pro**ss` **n*l** *y t*is v*li**tor. T** m*t

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-14893: Polymorphic deserialization of malicious object in jackson-databind

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI