Vulnerability Details : CVE-2019-14379
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2019-14379
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.2 and up to, including, (<=) 8.0.8cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14379
0.98%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14379
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-14379
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14379
-
http://seclists.org/fulldisclosure/2022/Mar/23
Full Disclosure: APPLE-SA-2022-03-14-7 Xcode 13.3Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
[GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2998
RHSA-2019:2998 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
Build failed in Jenkins: Struts-master-JDK8-dependency-check #204 - Pony MailMailing List;Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/2387
Block one more gadget type (ehcache, CVE-2019-14379) · Issue #2387 · FasterXML/jackson-databind · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Third Party Advisory
-
https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://support.apple.com/kb/HT213189
About the security content of Xcode 13.3 - Apple SupportThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3292
RHSA-2019:3292 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2743
RHSA-2019:2743 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3297
RHSA-2019:3297 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Third Party Advisory
-
https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
[SECURITY] Fedora 29 Update: jackson-core-2.9.9-1.fc29 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List
-
https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3045
RHSA-2019:3045 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2936
RHSA-2019:2936 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3149
RHSA-2019:3149 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3044
RHSA-2019:3044 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190814-0001/
August 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3050
RHSA-2019:3050 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
[SECURITY] Fedora 30 Update: jackson-databind-2.9.9.3-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3901
RHSA-2019:3901 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3200
RHSA-2019:3200 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2935
RHSA-2019:2935 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
[SECURITY] [DLA 1879-1] jackson-databind security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2858
RHSA-2019:2858 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E
[GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2937
RHSA-2019:2937 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
Comparing jackson-databind-2.9.9.1...jackson-databind-2.9.9.2 · FasterXML/jackson-databind · GitHubPatch;Third Party Advisory
-
https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHBA-2019:2824
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3046
RHSA-2019:3046 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E
[ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067) - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2938
RHSA-2019:2938 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
[SECURITY] Fedora 31 Update: jackson-databind-2.9.9.3-1.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0727
RHSA-2020:0727 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
[GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 - PonMailing List;Third Party Advisory
Jump to