A Polymorphic Typing issue exists in FasterXML jackson-databind 2.0.0 up to and including 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
fasterxml jackson-databind |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
fedoraproject fedora 30 |
||
fedoraproject fedora 31 |
||
redhat jboss_enterprise_application_platform 7.2 |
||
redhat jboss_enterprise_application_platform 7.3 |
||
oracle banking platform 2.4.0 |
||
oracle jd edwards enterpriseone tools 9.2 |
||
oracle banking platform 2.4.1 |
||
oracle primavera gateway 16.1 |
||
oracle primavera gateway 16.2 |
||
oracle banking platform 2.5.0 |
||
oracle weblogic server 12.2.1.3.0 |
||
oracle webcenter portal 12.2.1.3.0 |
||
oracle webcenter sites 12.2.1.3.0 |
||
oracle jd edwards enterpriseone orchestrator 9.2 |
||
oracle banking platform 2.6.0 |
||
oracle banking platform 2.6.1 |
||
oracle banking platform 2.6.2 |
||
oracle weblogic server 12.2.1.4.0 |
||
oracle webcenter sites 12.2.1.4.0 |
||
oracle webcenter portal 12.2.1.4.0 |
||
oracle communications billing and revenue management 12.0.0.3.0 |
||
oracle communications billing and revenue management 7.5.0.23.0 |
||
oracle trace file analyzer 19c |
||
oracle trace file analyzer 18c |
||
oracle trace file analyzer 12.2.0.1 |
||
oracle siebel engineering - installer \\& deployment |
||
oracle retail sales audit 14.1 |
||
oracle retail merchandising system 15.0.3 |
||
oracle retail merchandising system 16.0.2 |
||
oracle retail merchandising system 16.0.3 |
||
oracle global lifecycle management nextgen oui framework 13.9.4.2.2 |
||
oracle global lifecycle management nextgen oui framework 12.2.1.4.0 |
||
oracle global lifecycle management nextgen oui framework 12.2.1.3.0 |
||
oracle banking platform 2.7.0 |
||
oracle banking platform 2.7.1 |
||
oracle banking platform 2.9.0 |
||
oracle primavera gateway 19.12.0 |
||
oracle primavera gateway |
||
oracle communications evolved communications application server 7.1 |
||
oracle communications calendar server 8.0.0.3.0 |
||
oracle communications calendar server 8.0.0.2.0 |
||
oracle goldengate application adapters 19.1.0.0.0 |
||
oracle communications cloud native core network slice selection function 1.2.1 |
||
netapp steelstore cloud integrated storage - |
||
netapp oncommand workflow automation - |
||
netapp service level manager - |
||
netapp oncommand api services - |
||
netapp active iq unified manager |