CVE-2019-16943 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Published 2019-10-01 17:15:10

Updated 2023-09-13 14:55:11

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-16943

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.2
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux Server » Version: 6.0
When used together with: Redhat » Enterprise Linux Server » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 7.3
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux Server » Version: 6.0
When used together with: Redhat » Enterprise Linux Server » Version: 7.0
Oracle » Weblogic Server » Version: 12.2.1.3.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.2.1.4.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards Enterpriseone Tools » Version: 9.2
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Sites » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Sites » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.1
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.4.1
cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.5.0
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.4.0
cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.7.0
cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.7.1
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.9.0
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 18.8.0 and up to, including, (<=) 18.8.8
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 17.7 and up to, including, (<=) 17.12.6
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway » Version: 16.2
cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway » Version: 16.1
cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway » Version: 19.12.0
cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 15.0.3
cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 16.0.2
cpe:2.3:a:oracle:retail_merchandising_system:16.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 16.0.3
cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Sales Audit » Version: 14.1
cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 7.5.0.23.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 12.0.0.3.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards Enterpriseone Orchestrator » Version: 9.2
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*
Matching versions
Oracle » Goldengate Application Adapters » Version: 19.1.0.0.0
cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Siebel Engineering - Installer & Deployment
Versions up to, including, (<=) 2.20.5
cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Calendar Server » Version: 8.0.0.2.0
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Calendar Server » Version: 8.0.0.3.0
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Evolved Communications Application Server » Version: 7.1
cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Nextgen Oui Framework » Version: 12.2.1.3.0
cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Nextgen Oui Framework » Version: 12.2.1.4.0
cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Nextgen Oui Framework » Version: 13.9.4.2.2
cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Trace File Analyzer » Version: 12.2.0.1
cpe:2.3:a:oracle:trace_file_analyzer:12.2.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Trace File Analyzer » Version: 18C
cpe:2.3:a:oracle:trace_file_analyzer:18c:*:*:*:*:*:*:*
Matching versions
Oracle » Trace File Analyzer » Version: 19C
cpe:2.3:a:oracle:trace_file_analyzer:19c:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Slice Selection Function » Version: 1.2.1
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Service Level Manager » Version: N/A
cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
Matching versions
Netapp » Steelstore Cloud Integrated Storage » Version: N/A
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Api Services » Version: N/A
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Windows
Versions from including (>=) 7.3
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Linux
Versions from including (>=) 7.3
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Vmware Vsphere
Versions from including (>=) 9.5
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.0.0 and before (<) 2.6.7.3
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.7.0 and before (<) 2.8.11.5
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.9.0 and before (<) 2.9.10.1
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-16943

EPSS FAQ

1.84%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-16943

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-16943

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-16943

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E

[GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle Critical Patch Update Advisory - October 2020
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E

[GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/issues/2478

Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) · Issue #2478 · FasterXML/jackson-databind · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20191017-0006/

October 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020
Third Party Advisory

CVEs referencing this url
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html

[SECURITY] [DLA 1943-1] jackson-databind security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/

[SECURITY] Fedora 30 Update: jackson-core-2.10.0-1.fc30 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/Oct/6

Bugtraq: [SECURITY] [DSA 4542-1] jackson-databind security update
Issue Tracking;Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0164

RHSA-2020:0164 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0159

RHSA-2020:0159 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0445

RHSA-2020:0445 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0160

RHSA-2020:0160 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0161

RHSA-2020:0161 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4542

Debian -- Security Information -- DSA-4542-1 jackson-databind
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/

[SECURITY] Fedora 31 Update: jackson-core-2.10.0-1.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

On Jackson CVEs: Don’t Panic — Here is what you need to know
Exploit;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-16943

Products affected by CVE-2019-16943

Exploit prediction scoring system (EPSS) score for CVE-2019-16943

CVSS scores for CVE-2019-16943

CWE ids for CVE-2019-16943

References for CVE-2019-16943