Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-17267

Disclosure Date: October 07, 2019
CVE-2019-17267 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fasterxml,
  • netapp,
  • oracle,
  • redhat

Products

  • active iq unified manager,
  • customer management and segmentation foundation,
  • debian linux 8.0,
  • goldengate application adapters 19.1.0.0.0,
  • jackson-databind,
  • jboss enterprise application platform 7.2,
  • jboss enterprise application platform 7.3,
  • oncommand api services -,
  • oncommand workflow automation -,
  • retail customer management and segmentation foundation 17.0,
  • service level manager -,
  • steelstore cloud integrated storage -,
  • weblogic server 12.2.1.3.0

References

Canonical
CVE-2019-17267 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267)
Advisory
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities (https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E)
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E)
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E)
https://access.redhat.com/errata/RHSA-2019:3200
[debian-lts-announce] 20191210 [SECURITY] [DLA 2030-1] jackson-databind security update (https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html)
[druid-commits] 20200115 [druid] branch 0.17.0 updated: Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189) (#9191) (https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E)
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0445
[skywalking-dev] 20200324 [CVE-2019-17267] Upgrade jackson-databind version to 2.9.10 (https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E)
https://security.netapp.com/advisory/ntap-20191017-0006
[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image (https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E)
[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 (https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E)
https://security.netapp.com/advisory/ntap-20191017-0006/
Miscellaneous
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://github.com/FasterXML/jackson-databind/issues/2460
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10
https://www.oracle.com/security-alerts/cpuoct2020.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis