First published: Tue Jun 04 2019(Updated: )
FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
FasterXML jackson-databind | >=2.7.0<2.7.9.6 | |
FasterXML jackson-databind | >=2.8.0<2.8.11.4 | |
FasterXML jackson-databind | >=2.9.0<2.9.9.2 | |
Debian Debian Linux | =8.0 | |
redhat/eap7-activemq-artemis | <0:2.9.0-1.redhat_00005.1.el6ea | 0:2.9.0-1.redhat_00005.1.el6ea |
redhat/eap7-codehaus-jackson | <0:1.9.13-9.redhat_00006.1.el6ea | 0:1.9.13-9.redhat_00006.1.el6ea |
redhat/eap7-glassfish-jsf | <0:2.3.5-4.SP3_redhat_00002.1.el6ea | 0:2.3.5-4.SP3_redhat_00002.1.el6ea |
redhat/eap7-hal-console | <0:3.0.16-1.Final_redhat_00001.1.el6ea | 0:3.0.16-1.Final_redhat_00001.1.el6ea |
redhat/eap7-hibernate | <0:5.3.11-2.SP1_redhat_00001.1.el6ea | 0:5.3.11-2.SP1_redhat_00001.1.el6ea |
redhat/eap7-infinispan | <0:9.3.7-1.Final_redhat_00001.1.el6ea | 0:9.3.7-1.Final_redhat_00001.1.el6ea |
redhat/eap7-ironjacamar | <0:1.4.17-1.Final_redhat_00001.1.el6ea | 0:1.4.17-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jackson-annotations | <0:2.9.9-1.redhat_00001.1.el6ea | 0:2.9.9-1.redhat_00001.1.el6ea |
redhat/eap7-jackson-core | <0:2.9.9-1.redhat_00001.1.el6ea | 0:2.9.9-1.redhat_00001.1.el6ea |
redhat/eap7-jackson-databind | <0:2.9.9.3-1.redhat_00001.1.el6ea | 0:2.9.9.3-1.redhat_00001.1.el6ea |
redhat/eap7-jackson-jaxrs-providers | <0:2.9.9-2.redhat_00001.1.el6ea | 0:2.9.9-2.redhat_00001.1.el6ea |
redhat/eap7-jackson-modules-base | <0:2.9.9-1.redhat_00001.1.el6ea | 0:2.9.9-1.redhat_00001.1.el6ea |
redhat/eap7-jackson-modules-java8 | <0:2.9.9-1.redhat_00001.1.el6ea | 0:2.9.9-1.redhat_00001.1.el6ea |
redhat/eap7-jboss-ejb-client | <0:4.0.23-1.Final_redhat_00001.1.el6ea | 0:4.0.23-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-logging | <0:3.3.3-1.Final_redhat_00001.1.el6ea | 0:3.3.3-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-logmanager | <0:2.1.14-1.Final_redhat_00001.1.el6ea | 0:2.1.14-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-marshalling | <0:2.0.9-1.Final_redhat_00001.1.el6ea | 0:2.0.9-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-msc | <0:1.4.8-1.Final_redhat_00001.1.el6ea | 0:1.4.8-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-remoting | <0:5.0.14-1.SP1_redhat_00001.1.el6ea | 0:5.0.14-1.SP1_redhat_00001.1.el6ea |
redhat/eap7-jboss-server-migration | <0:1.3.1-4.Final_redhat_00004.1.el6ea | 0:1.3.1-4.Final_redhat_00004.1.el6ea |
redhat/eap7-jboss-xnio-base | <0:3.7.3-1.Final_redhat_00001.1.el6ea | 0:3.7.3-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jgroups | <0:4.0.20-1.Final_redhat_00001.1.el6ea | 0:4.0.20-1.Final_redhat_00001.1.el6ea |
redhat/eap7-narayana | <0:5.9.6-1.Final_redhat_00001.1.el6ea | 0:5.9.6-1.Final_redhat_00001.1.el6ea |
redhat/eap7-netty | <0:4.1.34-2.Final_redhat_00002.1.el6ea | 0:4.1.34-2.Final_redhat_00002.1.el6ea |
redhat/eap7-picketbox | <0:5.0.3-5.Final_redhat_00004.1.el6ea | 0:5.0.3-5.Final_redhat_00004.1.el6ea |
redhat/eap7-picketlink-bindings | <0:2.5.5-20.SP12_redhat_00007.1.el6ea | 0:2.5.5-20.SP12_redhat_00007.1.el6ea |
redhat/eap7-picketlink-federation | <0:2.5.5-20.SP12_redhat_00007.1.el6ea | 0:2.5.5-20.SP12_redhat_00007.1.el6ea |
redhat/eap7-undertow | <0:2.0.25-1.SP1_redhat_00001.1.el6ea | 0:2.0.25-1.SP1_redhat_00001.1.el6ea |
redhat/eap7-weld-core | <0:3.0.6-2.Final_redhat_00002.1.el6ea | 0:3.0.6-2.Final_redhat_00002.1.el6ea |
redhat/eap7-wildfly | <0:7.2.4-1.GA_redhat_00002.1.el6ea | 0:7.2.4-1.GA_redhat_00002.1.el6ea |
redhat/eap7-wildfly-elytron | <0:1.6.4-1.Final_redhat_00001.1.el6ea | 0:1.6.4-1.Final_redhat_00001.1.el6ea |
redhat/eap7-wildfly-elytron-tool | <0:1.4.3-1.Final_redhat_00001.1.el6ea | 0:1.4.3-1.Final_redhat_00001.1.el6ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.6-2.Final_redhat_00001.1.el6ea | 0:1.1.6-2.Final_redhat_00001.1.el6ea |
redhat/eap7-activemq-artemis | <0:2.9.0-1.redhat_00005.1.el7ea | 0:2.9.0-1.redhat_00005.1.el7ea |
redhat/eap7-codehaus-jackson | <0:1.9.13-9.redhat_00006.1.el7ea | 0:1.9.13-9.redhat_00006.1.el7ea |
redhat/eap7-glassfish-jsf | <0:2.3.5-4.SP3_redhat_00002.1.el7ea | 0:2.3.5-4.SP3_redhat_00002.1.el7ea |
redhat/eap7-hal-console | <0:3.0.16-1.Final_redhat_00001.1.el7ea | 0:3.0.16-1.Final_redhat_00001.1.el7ea |
redhat/eap7-hibernate | <0:5.3.11-2.SP1_redhat_00001.1.el7ea | 0:5.3.11-2.SP1_redhat_00001.1.el7ea |
redhat/eap7-infinispan | <0:9.3.7-1.Final_redhat_00001.1.el7ea | 0:9.3.7-1.Final_redhat_00001.1.el7ea |
redhat/eap7-ironjacamar | <0:1.4.17-1.Final_redhat_00001.1.el7ea | 0:1.4.17-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jackson-annotations | <0:2.9.9-1.redhat_00001.1.el7ea | 0:2.9.9-1.redhat_00001.1.el7ea |
redhat/eap7-jackson-core | <0:2.9.9-1.redhat_00001.1.el7ea | 0:2.9.9-1.redhat_00001.1.el7ea |
redhat/eap7-jackson-databind | <0:2.9.9.3-1.redhat_00001.1.el7ea | 0:2.9.9.3-1.redhat_00001.1.el7ea |
redhat/eap7-jackson-jaxrs-providers | <0:2.9.9-2.redhat_00001.1.el7ea | 0:2.9.9-2.redhat_00001.1.el7ea |
redhat/eap7-jackson-modules-base | <0:2.9.9-1.redhat_00001.1.el7ea | 0:2.9.9-1.redhat_00001.1.el7ea |
redhat/eap7-jackson-modules-java8 | <0:2.9.9-1.redhat_00001.1.el7ea | 0:2.9.9-1.redhat_00001.1.el7ea |
redhat/eap7-jboss-ejb-client | <0:4.0.23-1.Final_redhat_00001.1.el7ea | 0:4.0.23-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-logging | <0:3.3.3-1.Final_redhat_00001.1.el7ea | 0:3.3.3-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-logmanager | <0:2.1.14-1.Final_redhat_00001.1.el7ea | 0:2.1.14-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-marshalling | <0:2.0.9-1.Final_redhat_00001.1.el7ea | 0:2.0.9-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-msc | <0:1.4.8-1.Final_redhat_00001.1.el7ea | 0:1.4.8-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-remoting | <0:5.0.14-1.SP1_redhat_00001.1.el7ea | 0:5.0.14-1.SP1_redhat_00001.1.el7ea |
redhat/eap7-jboss-server-migration | <0:1.3.1-4.Final_redhat_00004.1.el7ea | 0:1.3.1-4.Final_redhat_00004.1.el7ea |
redhat/eap7-jboss-xnio-base | <0:3.7.3-1.Final_redhat_00001.1.el7ea | 0:3.7.3-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jgroups | <0:4.0.20-1.Final_redhat_00001.1.el7ea | 0:4.0.20-1.Final_redhat_00001.1.el7ea |
redhat/eap7-narayana | <0:5.9.6-1.Final_redhat_00001.1.el7ea | 0:5.9.6-1.Final_redhat_00001.1.el7ea |
redhat/eap7-netty | <0:4.1.34-2.Final_redhat_00002.1.el7ea | 0:4.1.34-2.Final_redhat_00002.1.el7ea |
redhat/eap7-picketbox | <0:5.0.3-5.Final_redhat_00004.1.el7ea | 0:5.0.3-5.Final_redhat_00004.1.el7ea |
redhat/eap7-picketlink-bindings | <0:2.5.5-20.SP12_redhat_00007.1.el7ea | 0:2.5.5-20.SP12_redhat_00007.1.el7ea |
redhat/eap7-picketlink-federation | <0:2.5.5-20.SP12_redhat_00007.1.el7ea | 0:2.5.5-20.SP12_redhat_00007.1.el7ea |
redhat/eap7-undertow | <0:2.0.25-1.SP1_redhat_00001.1.el7ea | 0:2.0.25-1.SP1_redhat_00001.1.el7ea |
redhat/eap7-weld-core | <0:3.0.6-2.Final_redhat_00002.1.el7ea | 0:3.0.6-2.Final_redhat_00002.1.el7ea |
redhat/eap7-wildfly | <0:7.2.4-1.GA_redhat_00002.1.el7ea | 0:7.2.4-1.GA_redhat_00002.1.el7ea |
redhat/eap7-wildfly-elytron | <0:1.6.4-1.Final_redhat_00001.1.el7ea | 0:1.6.4-1.Final_redhat_00001.1.el7ea |
redhat/eap7-wildfly-elytron-tool | <0:1.4.3-1.Final_redhat_00001.1.el7ea | 0:1.4.3-1.Final_redhat_00001.1.el7ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.6-2.Final_redhat_00001.1.el7ea | 0:1.1.6-2.Final_redhat_00001.1.el7ea |
redhat/eap7-activemq-artemis | <0:2.9.0-1.redhat_00005.1.el8ea | 0:2.9.0-1.redhat_00005.1.el8ea |
redhat/eap7-codehaus-jackson | <0:1.9.13-9.redhat_00006.1.el8ea | 0:1.9.13-9.redhat_00006.1.el8ea |
redhat/eap7-glassfish-jsf | <0:2.3.5-4.SP3_redhat_00002.1.el8ea | 0:2.3.5-4.SP3_redhat_00002.1.el8ea |
redhat/eap7-hal-console | <0:3.0.16-1.Final_redhat_00001.1.el8ea | 0:3.0.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hibernate | <0:5.3.11-2.SP1_redhat_00001.1.el8ea | 0:5.3.11-2.SP1_redhat_00001.1.el8ea |
redhat/eap7-infinispan | <0:9.3.7-1.Final_redhat_00001.1.el8ea | 0:9.3.7-1.Final_redhat_00001.1.el8ea |
redhat/eap7-ironjacamar | <0:1.4.17-1.Final_redhat_00001.1.el8ea | 0:1.4.17-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jackson-annotations | <0:2.9.9-1.redhat_00001.1.el8ea | 0:2.9.9-1.redhat_00001.1.el8ea |
redhat/eap7-jackson-core | <0:2.9.9-1.redhat_00001.1.el8ea | 0:2.9.9-1.redhat_00001.1.el8ea |
redhat/eap7-jackson-databind | <0:2.9.9.3-1.redhat_00001.1.el8ea | 0:2.9.9.3-1.redhat_00001.1.el8ea |
redhat/eap7-jackson-jaxrs-providers | <0:2.9.9-2.redhat_00001.1.el8ea | 0:2.9.9-2.redhat_00001.1.el8ea |
redhat/eap7-jackson-modules-base | <0:2.9.9-1.redhat_00001.1.el8ea | 0:2.9.9-1.redhat_00001.1.el8ea |
redhat/eap7-jackson-modules-java8 | <0:2.9.9-1.redhat_00001.1.el8ea | 0:2.9.9-1.redhat_00001.1.el8ea |
redhat/eap7-jboss-ejb-client | <0:4.0.23-1.Final_redhat_00001.1.el8ea | 0:4.0.23-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-logging | <0:3.3.3-1.Final_redhat_00001.1.el8ea | 0:3.3.3-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-logmanager | <0:2.1.14-1.Final_redhat_00001.1.el8ea | 0:2.1.14-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-marshalling | <0:2.0.9-1.Final_redhat_00001.1.el8ea | 0:2.0.9-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-msc | <0:1.4.8-1.Final_redhat_00001.1.el8ea | 0:1.4.8-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-remoting | <0:5.0.14-1.SP1_redhat_00001.1.el8ea | 0:5.0.14-1.SP1_redhat_00001.1.el8ea |
redhat/eap7-jboss-server-migration | <0:1.3.1-4.Final_redhat_00004.1.el8ea | 0:1.3.1-4.Final_redhat_00004.1.el8ea |
redhat/eap7-jboss-xnio-base | <0:3.7.3-1.Final_redhat_00001.1.el8ea | 0:3.7.3-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jgroups | <0:4.0.20-1.Final_redhat_00001.1.el8ea | 0:4.0.20-1.Final_redhat_00001.1.el8ea |
redhat/eap7-narayana | <0:5.9.6-1.Final_redhat_00001.1.el8ea | 0:5.9.6-1.Final_redhat_00001.1.el8ea |
redhat/eap7-netty | <0:4.1.34-2.Final_redhat_00002.1.el8ea | 0:4.1.34-2.Final_redhat_00002.1.el8ea |
redhat/eap7-picketbox | <0:5.0.3-5.Final_redhat_00004.1.el8ea | 0:5.0.3-5.Final_redhat_00004.1.el8ea |
redhat/eap7-picketlink-bindings | <0:2.5.5-20.SP12_redhat_00007.1.el8ea | 0:2.5.5-20.SP12_redhat_00007.1.el8ea |
redhat/eap7-picketlink-federation | <0:2.5.5-20.SP12_redhat_00007.1.el8ea | 0:2.5.5-20.SP12_redhat_00007.1.el8ea |
redhat/eap7-undertow | <0:2.0.25-1.SP1_redhat_00001.1.el8ea | 0:2.0.25-1.SP1_redhat_00001.1.el8ea |
redhat/eap7-weld-core | <0:3.0.6-2.Final_redhat_00002.1.el8ea | 0:3.0.6-2.Final_redhat_00002.1.el8ea |
redhat/eap7-wildfly | <0:7.2.4-1.GA_redhat_00002.1.el8ea | 0:7.2.4-1.GA_redhat_00002.1.el8ea |
redhat/eap7-wildfly-elytron | <0:1.6.4-1.Final_redhat_00001.1.el8ea | 0:1.6.4-1.Final_redhat_00001.1.el8ea |
redhat/eap7-wildfly-elytron-tool | <0:1.4.3-1.Final_redhat_00001.1.el8ea | 0:1.4.3-1.Final_redhat_00001.1.el8ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.6-2.Final_redhat_00001.1.el8ea | 0:1.1.6-2.Final_redhat_00001.1.el8ea |
redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el6 | 0:4.8.13-1.Final_redhat_00001.1.el6 |
redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el7 | 0:4.8.13-1.Final_redhat_00001.1.el7 |
redhat/rh-sso7-libunix-dbus-java | <0:0.8.0-2.el7 | 0:0.8.0-2.el7 |
redhat/rh-sso7-keycloak | <0:4.8.13-1.Final_redhat_00001.1.el8 | 0:4.8.13-1.Final_redhat_00001.1.el8 |
debian/jackson-databind | 2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 | |
redhat/jackson-databind | <2.9.9.1 | 2.9.9.1 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.0.0<2.6.7.3 | 2.6.7.3 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.7.9.6 | 2.7.9.6 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.8.0<2.8.11.4 | 2.8.11.4 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.9.1 | 2.9.9.1 |
This vulnerability relies on jdom (org.jdom) or jdom2 (org.jdom2) being present in the application's ClassPath. Applications using jackson-databind that do not also use jdom or jdom2 are not impacted by this vulnerability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)