[java-sig-commits] [Bug 1725795] New: CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafter JSON message.

https://bugzilla.redhat.com/show_bug.cgi?id=1725795 Bug ID: 1725795 Summary: CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafter JSON message. Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190604,reported=20190620,sour ce=cve,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:N/A:N,cwe=CWE-502->CWE-200,fedora-all/jackson-databi nd=affected,amq-6/jackson-databind=new,amq-st/jackson- databind=new,bpms-6/jackson-databind=new,openstack-8/o pendaylight=new,openstack-9/opendaylight=new,openstack -10/opendaylight=new,openstack-13/opendaylight=new,ope nstack-14/opendaylight=new,rhsso-7/jackson-databind=ne w,vertx-3/jackson-databind=new,swarm-7/jackson-databin d=new,rhel-8/pki-deps:10.6/jackson-databind=new,rhn_sa tellite_6/jackson-databind=new,rhscl-3/rh-maven35-jack son-databind=new,rhdm-7/jackson-databind=new,rhpam-7/j ackson-databind=new,fuse-6/jackson-databind=new,fuse-7 /jackson-databind=new,eap-7/jackson-databind=new,rhmap -4/jackson-databind=new,openshift-enterprise-3/ose-log ging-elasticsearch5=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: msiddiqu(a)redhat.com CC: ahardin(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bleanhar(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, ccoleman(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dedgar(a)redhat.com, dffrench(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ggaughan(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jgoulding(a)redhat.com, jjoyce(a)redhat.com, jkurik(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, kbasil(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mchappel(a)redhat.com, mhulan(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sthorger(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com Target Milestone: --- Classification: Other A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2341 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde... -- You are receiving this mail because: You are on the CC list for the bug.