Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-16943

Disclosure Date: October 01, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • fasterxml,
  • fedoraproject,
  • netapp,
  • oracle,
  • redhat

Products

  • active iq unified manager,
  • banking platform 2.4.0,
  • banking platform 2.4.1,
  • banking platform 2.5.0,
  • banking platform 2.6.0,
  • banking platform 2.6.1,
  • banking platform 2.6.2,
  • banking platform 2.7.0,
  • banking platform 2.7.1,
  • banking platform 2.9.0,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5.0.23.0,
  • communications calendar server 8.0.0.2.0,
  • communications calendar server 8.0.0.3.0,
  • communications cloud native core network slice selection function 1.2.1,
  • communications evolved communications application server 7.1,
  • debian linux 10.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • fedora 30,
  • fedora 31,
  • global lifecycle management nextgen oui framework 12.2.1.3.0,
  • global lifecycle management nextgen oui framework 12.2.1.4.0,
  • global lifecycle management nextgen oui framework 13.9.4.2.2,
  • goldengate application adapters 19.1.0.0.0,
  • jackson-databind,
  • jboss enterprise application platform 7.2,
  • jboss enterprise application platform 7.3,
  • jd edwards enterpriseone orchestrator 9.2,
  • jd edwards enterpriseone tools 9.2,
  • oncommand api services -,
  • oncommand workflow automation -,
  • primavera gateway,
  • primavera gateway 16.1,
  • primavera gateway 16.2,
  • primavera gateway 19.12.0,
  • retail merchandising system 15.0.3,
  • retail merchandising system 16.0.2,
  • retail merchandising system 16.0.3,
  • retail sales audit 14.1,
  • service level manager -,
  • siebel engineering - installer & deployment,
  • steelstore cloud integrated storage -,
  • trace file analyzer 12.2.0.1,
  • trace file analyzer 18c,
  • trace file analyzer 19c,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0,
  • webcenter sites 12.2.1.3.0,
  • webcenter sites 12.2.1.4.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0

References

Advisory

Additional Info

Technical Analysis