CVE-2019-14892 vulnerability in FasterXML and Other Products

CVE-2019-14892 vulnerability in FasterXML and Other Products
Published on March 2, 2020

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Weakness Types

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2019-14892 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2019-14892 has been classified to as an Information Disclosure vulnerability or weakness.

Products Associated with CVE-2019-14892

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-14892 are published in these products:

Affected Versions

Version Versions before 2.9.10 is affected.

Version Versions before 2.8.11.5 is affected.

Version Versions before 2.6.7.3 is affected.

Exploit Probability

EPSS

0.87%

Percentile

74.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.