CVE - CVE-2019-12086

CVE-ID
CVE-2019-12086	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:109227 URL:http://www.securityfocus.com/bid/109227 BUGTRAQ:20190527 [SECURITY] [DSA 4452-1] jackson-databind security update URL:https://seclists.org/bugtraq/2019/May/68 CONFIRM:https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 URL:https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 CONFIRM:https://security.netapp.com/advisory/ntap-20190530-0003/ URL:https://security.netapp.com/advisory/ntap-20190530-0003/ DEBIAN:DSA-4452 URL:https://www.debian.org/security/2019/dsa-4452 FEDORA:FEDORA-2019-99ff6aa32c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/ FEDORA:FEDORA-2019-ae6a703b8f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/ FEDORA:FEDORA-2019-fb23eccc03 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/ MISC:http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ URL:http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ MISC:https://github.com/FasterXML/jackson-databind/issues/2326 URL:https://github.com/FasterXML/jackson-databind/issues/2326 MISC:https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 URL:https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 MISC:https://www.oracle.com/security-alerts/cpuApr2021.html URL:https://www.oracle.com/security-alerts/cpuApr2021.html MISC:https://www.oracle.com/security-alerts/cpuapr2020.html URL:https://www.oracle.com/security-alerts/cpuapr2020.html MISC:https://www.oracle.com/security-alerts/cpuapr2022.html URL:https://www.oracle.com/security-alerts/cpuapr2022.html MISC:https://www.oracle.com/security-alerts/cpujan2020.html URL:https://www.oracle.com/security-alerts/cpujan2020.html MISC:https://www.oracle.com/security-alerts/cpujul2020.html URL:https://www.oracle.com/security-alerts/cpujul2020.html MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html URL:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html URL:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST:[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities URL:https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E MLIST:[debian-lts-announce] 20190521 [SECURITY] [DLA 1798-1] jackson-databind security update URL:https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html MLIST:[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities URL:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E MLIST:[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities URL:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E MLIST:[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities URL:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E MLIST:[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1 URL:https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E MLIST:[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html URL:https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E MLIST:[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html URL:https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E MLIST:[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html URL:https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E MLIST:[spark-reviews] 20190520 [GitHub] [spark] Fokko opened a new pull request #24646: Spark 27757 URL:https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E REDHAT:RHSA-2019:2858 URL:https://access.redhat.com/errata/RHSA-2019:2858 REDHAT:RHSA-2019:2935 URL:https://access.redhat.com/errata/RHSA-2019:2935 REDHAT:RHSA-2019:2936 URL:https://access.redhat.com/errata/RHSA-2019:2936 REDHAT:RHSA-2019:2937 URL:https://access.redhat.com/errata/RHSA-2019:2937 REDHAT:RHSA-2019:2938 URL:https://access.redhat.com/errata/RHSA-2019:2938 REDHAT:RHSA-2019:2998 URL:https://access.redhat.com/errata/RHSA-2019:2998 REDHAT:RHSA-2019:3044 URL:https://access.redhat.com/errata/RHSA-2019:3044 REDHAT:RHSA-2019:3045 URL:https://access.redhat.com/errata/RHSA-2019:3045 REDHAT:RHSA-2019:3046 URL:https://access.redhat.com/errata/RHSA-2019:3046 REDHAT:RHSA-2019:3050 URL:https://access.redhat.com/errata/RHSA-2019:3050 REDHAT:RHSA-2019:3149 URL:https://access.redhat.com/errata/RHSA-2019:3149 REDHAT:RHSA-2019:3200 URL:https://access.redhat.com/errata/RHSA-2019:3200
Assigning CNA
MITRE Corporation
Date Record Created
20190513	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190513)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)