CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

References

Affected packages

Git / github.com/FasterXML/jackson-databind

Affected ranges

Type

GIT

Repo

https://github.com/FasterXML/jackson-databind

Events

Introduced

e8df0987e3034d102ee6d704d30a05a2e3ac7089

Fixed

ec1adf8c72625fd51b30105afad7464c4332d542

Introduced

50791cc7856376949287e0be3e96147665ab8f68

Fixed

97986cb157d9d1da1256b24ea01b6c9f03b736dd

Introduced

81929fad84189ce59ef82e7a6d0df795eb0c7cdb

Fixed

e013e0f1279b623257d2f0d3ac66b7355db9561d

Introduced

e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8

Fixed

bf93aeb39ee9b1ea1ac4e1625e7d33377d1007f5

Introduced

Last affected

a5807c566af27b184731dd4eb7dfcc420962db32

Introduced

Last affected

7a095bcc66b228ea48e37c57eafd7d78ce5c090c

Introduced

Last affected

9efc4abb22c664c492271bc9907bbfbf4f70889c

Introduced

Last affected

21f90cf247018c1286cc20544029782450dc270a

Introduced

Last affected

060726b011b008496cd8bb0997ee94a6b73530d1

Introduced

Last affected

50791cc7856376949287e0be3e96147665ab8f68

Introduced

Last affected

ce9dc07af83f77568a613fd45a86f58c93ba1a02

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.6.7.3"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.9.6"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.11.4"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.9.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.6.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.6.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.1"
        }
    ]
}

Affected versions

2.*

2.2.0c

jackson-databind-2.*

jackson-databind-2.0.0

jackson-databind-2.0.0-RC1

jackson-databind-2.0.0-RC2

jackson-databind-2.0.0-RC3

jackson-databind-2.0.1

jackson-databind-2.0.2

jackson-databind-2.0.4

jackson-databind-2.0.5

jackson-databind-2.0.6

jackson-databind-2.1.0

jackson-databind-2.1.1

jackson-databind-2.1.2

jackson-databind-2.1.3

jackson-databind-2.1.4

jackson-databind-2.1.5

jackson-databind-2.10.0.pr1

jackson-databind-2.2.0

jackson-databind-2.2.0-rc1

jackson-databind-2.2.1

jackson-databind-2.2.2

jackson-databind-2.2.3

jackson-databind-2.2.4

jackson-databind-2.3.0

jackson-databind-2.3.0-rc1

jackson-databind-2.3.1

jackson-databind-2.3.2

jackson-databind-2.3.3

jackson-databind-2.3.4

jackson-databind-2.3.5

jackson-databind-2.4.0

jackson-databind-2.4.0-rc1

jackson-databind-2.4.0-rc2

jackson-databind-2.4.0-rc3

jackson-databind-2.7.0

jackson-databind-2.8.0

jackson-databind-2.8.1

jackson-databind-2.8.10

jackson-databind-2.8.11

jackson-databind-2.8.11.1

jackson-databind-2.8.11.2

jackson-databind-2.8.11.3

jackson-databind-2.8.2

jackson-databind-2.8.3

jackson-databind-2.8.4

jackson-databind-2.8.5

jackson-databind-2.8.6

jackson-databind-2.8.7

jackson-databind-2.8.8

jackson-databind-2.8.8.1

jackson-databind-2.8.9

jackson-databind-2.9.0

jackson-databind-2.9.0.pr1

jackson-databind-2.9.0.pr2

jackson-databind-2.9.0.pr3

jackson-databind-2.9.0.pr4

jackson-databind-2.9.1

jackson-databind-2.9.2

jackson-databind-2.9.3

jackson-databind-2.9.4

jackson-databind-2.9.5

jackson-databind-2.9.6

jackson-databind-2.9.7

jackson-databind-2.9.8

jackson-databind-2.9.9

jackson-databind-2.9.9.1

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "9.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "29"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "30"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "31"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.11"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0.1.3.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.0.2"
            },
            {
                "last_affected": "8.0.8"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "19.1.0.0.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.12"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "17.7"
            },
            {
                "last_affected": "17.12"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.8"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "19.8"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "19.10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "13.3"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14379.json"