A Polymorphic Typing issue exists in FasterXML jackson-databind 2.0.0 up to and including 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
fasterxml jackson-databind |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
fedoraproject fedora 30 |
||
fedoraproject fedora 31 |
||
redhat jboss enterprise application platform 7.2.0 |
||
redhat jboss enterprise application platform 7.3 |
||
netapp active iq unified manager |
||
netapp oncommand api services - |
||
netapp oncommand workflow automation - |
||
netapp service level manager - |
||
netapp steelstore cloud integrated storage - |
||
oracle banking platform 2.4.0 |
||
oracle banking platform 2.4.1 |
||
oracle banking platform 2.5.0 |
||
oracle banking platform 2.6.0 |
||
oracle banking platform 2.6.1 |
||
oracle banking platform 2.6.2 |
||
oracle banking platform 2.7.0 |
||
oracle banking platform 2.7.1 |
||
oracle banking platform 2.9.0 |
||
oracle communications billing and revenue management 7.5.0.23.0 |
||
oracle communications billing and revenue management 12.0.0.3.0 |
||
oracle communications calendar server 8.0.0.2.0 |
||
oracle communications calendar server 8.0.0.3.0 |
||
oracle communications cloud native core network slice selection function 1.2.1 |
||
oracle communications evolved communications application server 7.1 |
||
oracle database server 12.2.0.1 |
||
oracle database server 18c |
||
oracle database server 19c |
||
oracle global lifecycle management nextgen oui framework 12.2.1.3.0 |
||
oracle global lifecycle management nextgen oui framework 12.2.1.4.0 |
||
oracle global lifecycle management nextgen oui framework 13.9.4.2.2 |
||
oracle goldengate application adapters 19.1.0.0.0 |
||
oracle jd edwards enterpriseone orchestrator 9.2 |
||
oracle jd edwards enterpriseone tools 9.2 |
||
oracle primavera gateway |
||
oracle primavera gateway 19.12.0 |
||
oracle primavera unifier |
||
oracle primavera unifier 16.1 |
||
oracle primavera unifier 16.2 |
||
oracle primavera unifier 18.8 |
||
oracle primavera unifier 19.12 |
||
oracle retail merchandising system 15.0.3 |
||
oracle retail merchandising system 16.0.2 |
||
oracle retail merchandising system 16.0.3 |
||
oracle retail sales audit 14.1 |
||
oracle siebel engineering - installer & deployment |
||
oracle siebel ui framework |
||
oracle siebel ui framework 20.6 |
||
oracle webcenter portal 12.2.1.3.0 |
||
oracle webcenter portal 12.2.1.4.0 |
||
oracle webcenter sites 12.2.1.3.0 |
||
oracle webcenter sites 12.2.1.4.0 |
||
oracle weblogic server 12.2.1.3.0 |
||
oracle weblogic server 12.2.1.4.0 |