Bug 1165035 - (CVE-2019-14379) VUL-0: CVE-2019-14379: jackson-databind: default typing mishandling leading to remote code execution
(CVE-2019-14379)
VUL-0: CVE-2019-14379: jackson-databind: default typing mishandling leading t...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/238210/
CVSSv3.1:SUSE:CVE-2019-14379:9.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-26 16:04 UTC by Alexandros Toptsoglou
Modified: 2022-07-25 11:03 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-02-26 16:04:12 UTC
CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. 


References:   

https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2

Upstream issue:  

https://github.com/FasterXML/jackson-databind/issues/2387

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1737517
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379
Comment 1 Alexandros Toptsoglou 2020-02-26 16:05:47 UTC
Both Factory and SLE15-SP2 are not affected, since the version that we ship already contains the fix. Closing.