Is CVE-2019-14893 actively exploited?

CVE-2019-14893 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2019-14893?

CVE-2019-14893 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-14893?

Patch guidance is available from fasterxml security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-14893.

Fix CVE-2019-14893 - CRITICAL fasterxml jackson-databind

Q: Which products are affected by CVE-2019-14893?

5 products: fasterxml jackson-databind, fasterxml jackson-databind, netapp oncommand api services, netapp steelstore cloud integrated storage, oracle goldengate stream analytics.

Description

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-200 · Information Disclosure CWE-502 · Insecure Deserialization CWE-502 · Insecure Deserialization

Metadata

Primary Vendor: FASTERXML
Published: 3/2/2020
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

fasterxml : jackson-databindfasterxml : jackson-databindnetapp : oncommand_api_servicesnetapp : steelstore_cloud_integrated_storageoracle : goldengate_stream_analytics

Remediation Guidance

Executive Summary

View on NIST NVD