Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2019-12384

Published: 24/06/2019 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 385
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Fasterxml

Vulnerability Summary

FasterXML jackson-databind 2.x prior to 2.9.9.1 might allow malicious users to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fasterxml jackson-databind

debian debian linux 8.0

redhat enterprise linux 7.4

redhat enterprise linux 7.0

redhat enterprise linux 7.5

redhat enterprise linux 7.6

redhat enterprise linux 7.7

Vendor Advisories

Debian CVElist Bug Report Logs: jackson-databind: CVE-2019-12384 CVE-2019-12814
Debian Bug report logs - #930750 jackson-databind: CVE-2019-12384 CVE-2019-12814 Package: src:jackson-databind; Maintainer for src:jackson-databind is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 19 Jun 2019 20:27:02 UTC Sever ...
Debian Security Advisories: DSA-4542-1 jackson-databind -- security update
It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server For the oldstable distribution (stretch), these prob ...
Red Hat: Important: Red Hat Process Automation Manager 7.5.0 Security Update
Synopsis Important: Red Hat Process Automation Manager 750 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scor ...
Red Hat: Important: Red Hat Decision Manager 7.5.0 Security Update
Synopsis Important: Red Hat Decision Manager 750 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ba ...
Red Hat: Important: rh-maven35-jackson-databind security update
Synopsis Important: rh-maven35-jackson-databind security update Type/Severity Security Advisory: Important Topic An update for rh-maven35-jackson-databind is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: Red Hat OpenShift Application Runtimes Vert.x 3.8.3 security update
Synopsis Important: Red Hat OpenShift Application Runtimes Vertx 383 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impact of Important A Common Vul ...
Red Hat: Important: pki-deps:10.6 security update
Synopsis Important: pki-deps:106 security update Type/Severity Security Advisory: Important Topic An update for the pki-deps:106 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sy ...
Red Hat: Important: OpenShift Container Platform logging-elasticsearch5-container security update
Synopsis Important: OpenShift Container Platform logging-elasticsearch5-container security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as h ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 6 Security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 724 on RHEL 6 Security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 8 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 724 on RHEL 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.4 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 724 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise LinuxRed Hat Product Security has rated this update as having a se ...
Red Hat: Important: Red Hat Fuse 7.6.0 security update
Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
Red Hat: Important: Red Hat JBoss Fuse/A-MQ 6.3 R14 security and bug fix update
Synopsis Important: Red Hat JBoss Fuse/A-MQ 63 R14 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Fuse 63 and Red Hat JBoss A-MQ 63Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 7 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 724 on RHEL 7 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Red Hat: Important: OpenShift Container Platform 4.1.18 logging-elasticsearch5 security update
Synopsis Important: OpenShift Container Platform 4118 logging-elasticsearch5 security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as havin ...
Red Hat: Important: Red Hat OpenShift Application Runtimes Thorntail 2.5.0 security & bug fix update
Synopsis Important: Red Hat OpenShift Application Runtimes Thorntail 250 security & bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impact of Import ...
Red Hat: CVE-2019-12384
Impact: Important Public Date: 2019-06-21 CWE: CWE-502 Bugzilla: 1725807: CVE-2019-12384 jackson-databi ...
Hitachi Security Advisories: Multiple Vulnerabilities in Cosminexus
Cosminexus Component Container contain the following vulnerabilities: CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-20 ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Analyzer viewpoint
Multiple vulnerabilities have been found in Hitachi Ops Center Analyzer viewpoint CVE-2018-10054, CVE-2018-14335, CVE-2018-20200, CVE-2019-10086, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019- ...

Github Repositories

https://github.com/shashihacks/OSWE

HackTheBox Linux Bashed [ PHP Bash, Scheduled task ] Popcorn [ Image upload vulnerability, MOTD File Tampering ] Celestial [ Node deserialization attack, Scheduled task, syslogs ] Nibbles [ Image upload,Default creds opensource/git sudoer sudoer file ] Cronos [ dig DNS,command injection Scheduled task laravel PHP ] Lame [ smb 302 usermapscript command execution ]

https://github.com/jas502n/CVE-2019-12384

Jackson Rce For CVE-2019-12384

CVE-2019-12384 Jackson RCE And SSRF 0x01 python -m SimpleHTTPServer python -m SimpleHTTPServer >>>Serving HTTP on 0000 port 8000 >>>127001 - - [24/Jul/2019 03:06:32] "GET /injectsql HTTP/11" 200 - injectsql CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws

https://github.com/Jake-Schoellkopf/Insecure-Java-Deserialization

Insecure Java Deserialization in the Jackson Library & How It Can Escalate to RCE Insecure deserialization is a security vulnerability that occurs when a software application deserializes data from an untrusted or malicious source without proper validation and protection This vulnerability can be exploited by attackers to execute arbitrary code, gain unauthorized acces

https://github.com/BinMarton/quick-openrasp

一句话脚本启动OpenRASP Cloud & Agent

quick-start Start OpenRASP Cloud(Server Side) with one bash scirpt in 5 mins Start OpenRASP Agent as attack target with one bash scirpt in 3 mins U can quick build openrasp test and development enviroment 一句话脚本启动OpenRASP Cloud 包含docker\dockercompose\es\mongo\mongoexpress # 建议修改cloudyaml + init/appconf + init/mongojs内默认密码zhimakaimen

https://github.com/lokerxx/JavaVul

JAVA 安全靶场,IAST 测试用例,JAVA漏洞复现,代码审计,SAST测试用例,被动扫描

JavaVul 介绍 Java 安全漏洞靶场,用于测试IAST和扫描器的被动扫描功能,集合了多个安全漏洞,利用docker镜像为每个靶场独立环境运行。 文章:IAST实践总结 部署 mvn版本 # mvn --version Apache Maven 305 (Red Hat 305-17) Maven home: /usr/share/maven Java version: 180_192, vendor: Oracle Corporation Java home: /usr/java/jd

References

CWE-502https://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://doyensec.com/research.htmlhttps://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aadhttps://security.netapp.com/advisory/ntap-20190703-0002/https://access.redhat.com/errata/RHSA-2019:1820https://blog.doyensec.com/2019/07/22/jackson-gadgets.htmlhttps://access.redhat.com/errata/RHSA-2019:2720https://access.redhat.com/errata/RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2937https://access.redhat.com/errata/RHSA-2019:2936https://access.redhat.com/errata/RHSA-2019:2935https://access.redhat.com/errata/RHSA-2019:2938https://www.debian.org/security/2019/dsa-4542https://seclists.org/bugtraq/2019/Oct/6https://access.redhat.com/errata/RHSA-2019:2998https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://access.redhat.com/errata/RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3292https://access.redhat.com/errata/RHSA-2019:3297https://access.redhat.com/errata/RHSA-2019:3200https://access.redhat.com/errata/RHSA-2019:3901https://access.redhat.com/errata/RHSA-2019:4352https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3Ehttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Ehttps://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750https://nvd.nist.govhttps://github.com/jas502n/CVE-2019-12384https://www.debian.org/security/2019/dsa-4542
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook