A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
@Peter Murray@Oleksii Popov this module currently does not have maintainers or a dedicated team assigned. It's a problem for addressing maintenance issues like this one.
@Cate Boerema@Mark Veksler let's discuss what can we do with this.
Oleksii Popov July 31, 2019 at 9:54 AM
Thanks, we will review it with the team. FYI @Jakub Skoczen
Peter Murray July 30, 2019 at 5:33 PM
@Oleksii Popov: Could you update this issue with the appropriate team and story points to get it into the developer backlog, please?
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.1 or later. For example:
<dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>[2.9.9.1,)</version> </dependency>Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2019-12814
moderate severity
*Vulnerable versions:* >= 2.0.0, < 2.9.9.1
*Patched version:* 2.9.9.1
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.