CVE-2019-14439 (CNNVD-201907-1500)

HIGH
中文标题:
FasterXML jackson-databind 信息泄露漏洞
英文标题:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occ...
CVSS分数: 7.5
发布时间: 2019-07-30 10:49:43
漏洞类型: 代码问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

FasterXML Jackson是美国FasterXML公司的一款适用于Java的数据处理工具。jackson-databind是其中的一个具有数据绑定功能的组件。 FasterXML jackson-databind 2.9.9.2之前的2.x版本中存在安全漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。

英文描述:

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

CWE类型:
CWE-502
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
fasterxml jackson-databind * - - cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
debian debian_linux 8.0 - - cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian debian_linux 9.0 - - cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 - - cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
fedoraproject fedora 29 - - cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
fedoraproject fedora 30 - - cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
apache drill 1.16.0 - - cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
redhat jboss_middleware_text-only_advisories 1.0 - - cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
oracle banking_platform 2.4.0 - - cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
oracle banking_platform 2.4.1 - - cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
oracle banking_platform 2.5.0 - - cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
oracle banking_platform 2.6.0 - - cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
oracle banking_platform 2.6.1 - - cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
oracle banking_platform 2.7.0 - - cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
oracle banking_platform 2.7.1 - - cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.0.0 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.1 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.2 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*
oracle communications_diameter_signaling_router 8.2.1 - - cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*
oracle communications_instant_messaging_server 10.0.1.3.0 - - cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure * - - cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle global_lifecycle_management_opatch * - - cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
oracle global_lifecycle_management_opatch 11.2.0.3.23 - - cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:*:*:*:*:*:*:*
oracle global_lifecycle_management_opatch 13.9.4.2.1 - - cpe:2.3:a:oracle:global_lifecycle_management_opatch:13.9.4.2.1:*:*:*:*:*:*:*
oracle goldengate_stream_analytics * - - cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_orchestrator 9.2 - - cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_tools 9.2 - - cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
oracle primavera_gateway * - - cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway 15.2 - - cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
oracle primavera_gateway 16.1 - - cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*
oracle primavera_gateway 16.2 - - cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
oracle primavera_gateway 18.8.0 - - cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
oracle retail_customer_management_and_segmentation_foundation 17.0 - - cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 7.1 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 15.0 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 16.0 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 17.0 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
oracle retail_xstore_point_of_service 18.0 - - cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
oracle siebel_engineering_-_installer_\&_deployment * - - cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment:*:*:*:*:*:*:*:*
oracle siebel_ui_framework * - - cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update mailing-list
cve.org
访问
[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204 mailing-list
cve.org
访问
[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 mailing-list
cve.org
访问
[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities mailing-list
cve.org
访问
FEDORA-2019-ae6a703b8f vendor-advisory
cve.org
访问
FEDORA-2019-fb23eccc03 vendor-advisory
cve.org
访问
DSA-4542 vendor-advisory
cve.org
访问
20191007 [SECURITY] [DSA 4542-1] jackson-databind security update mailing-list
cve.org
访问
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities mailing-list
cve.org
访问
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
cve.org
访问
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
cve.org
访问
RHSA-2019:3200 vendor-advisory
cve.org
访问
[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html mailing-list
cve.org
访问
[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
7.5
HIGH
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS版本: 3.1
机密性
HIGH
完整性
NONE
可用性
NONE
时间信息
发布时间:
2019-07-30 10:49:43
修改时间:
2024-08-05 00:19:41
创建时间:
2025-11-11 15:35:33
更新时间:
2025-11-11 15:54:38
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2019-14439 2025-11-11 15:20:02 2025-11-11 07:35:33
NVD nvd_CVE-2019-14439 2025-11-11 14:56:24 2025-11-11 07:44:05
CNNVD cnnvd_CNNVD-201907-1500 2025-11-11 15:10:14 2025-11-11 07:54:38
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:54:38
vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-201907-1500; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 代码问题
  • cnnvd_id: 未提取 -> CNNVD-201907-1500
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:44:05
severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.5; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 0 → 40; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
  • cvss_score: 未提取 -> 7.5
  • cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • cvss_version: NOT_EXTRACTED -> 3.1
  • affected_products_count: 0 -> 40
  • data_sources: ['cve'] -> ['cve', 'nvd']