Unknown
CVE-2019-16942
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-16942
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- fasterxml,
- fedoraproject,
- netapp,
- oracle,
- redhat
Products
- active iq unified manager,
- banking platform 2.4.0,
- banking platform 2.4.1,
- banking platform 2.5.0,
- banking platform 2.6.0,
- banking platform 2.6.1,
- banking platform 2.6.2,
- banking platform 2.7.0,
- banking platform 2.7.1,
- banking platform 2.9.0,
- communications billing and revenue management 12.0.0.3.0,
- communications billing and revenue management 7.5.0.23.0,
- communications calendar server 8.0.0.2.0,
- communications calendar server 8.0.0.3.0,
- communications cloud native core network slice selection function 1.2.1,
- communications evolved communications application server 7.1,
- database server 12.2.0.1,
- database server 18c,
- database server 19c,
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- fedora 30,
- fedora 31,
- global lifecycle management nextgen oui framework 12.2.1.3.0,
- global lifecycle management nextgen oui framework 12.2.1.4.0,
- global lifecycle management nextgen oui framework 13.9.4.2.2,
- goldengate application adapters 19.1.0.0.0,
- jackson-databind,
- jboss enterprise application platform 7.2.0,
- jboss enterprise application platform 7.3,
- jd edwards enterpriseone orchestrator 9.2,
- jd edwards enterpriseone tools 9.2,
- oncommand api services -,
- oncommand workflow automation -,
- primavera gateway,
- primavera gateway 19.12.0,
- primavera unifier,
- primavera unifier 16.1,
- primavera unifier 16.2,
- primavera unifier 18.8,
- primavera unifier 19.12,
- retail merchandising system 15.0.3,
- retail merchandising system 16.0.2,
- retail merchandising system 16.0.3,
- retail sales audit 14.1,
- service level manager -,
- siebel engineering - installer & deployment,
- siebel ui framework,
- siebel ui framework 20.6,
- steelstore cloud integrated storage -,
- webcenter portal 12.2.1.3.0,
- webcenter portal 12.2.1.4.0,
- webcenter sites 12.2.1.3.0,
- webcenter sites 12.2.1.4.0,
- weblogic server 12.2.1.3.0,
- weblogic server 12.2.1.4.0
References
Advisory
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: