CVE-2019-14893 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-14893 Interim 1 20 2023-06-13T00:22:50Z current 2021-05-30T14:30:46Z 2023-06-13T00:22:50Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-14893 A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Basesystem 15 SP4 openSUSE Tumbleweed jackson-databind-2.10.2-1.74 jackson-databind-2.10.5.1-2.2 jackson-databind-2.10.5.1-3.3.2 jackson-databind-2.10.5.1-3.5.1 jackson-databind-2.13.4.2-150200.3.12.1 jackson-databind-javadoc-2.10.5.1-2.2 jackson-databind-2.10.5.1-3.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 jackson-databind-2.13.4.2-150200.3.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 jackson-databind-2.10.2-1.74 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jackson-databind-2.10.5.1-3.3.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 jackson-databind-2.10.5.1-2.2 as a component of openSUSE Tumbleweed jackson-databind-javadoc-2.10.5.1-2.2 as a component of openSUSE Tumbleweed A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVE-2019-14893 SUSE Linux Enterprise Module for Basesystem 15 SP4:jackson-databind-2.10.5.1-3.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:jackson-databind-2.13.4.2-150200.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:jackson-databind-2.10.2-1.74 SUSE Linux Enterprise Module for Development Tools 15 SP3:jackson-databind-2.10.5.1-3.3.2 openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2 openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H