A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2 or later. For example:
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2019-14379
moderate severity
*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
CVE-2019-14439
moderate severity
*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.