Deserialization of Untrusted Datacom.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as org.apache.cxf.jaxrs.provider.XSLTJaxbProvider was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.
Note: This is a different vulnerability than CVE-2019-14540.
vdenotaris
commented
4 years ago
Deserialization of Untrusted Data
com.fasterxml.jackson.core:jackson-databindis a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as
org.apache.cxf.jaxrs.provider.XSLTJaxbProviderwas not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.Note: This is a different vulnerability than CVE-2019-14540.