Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Jboss EAP Deserialization of Untrusted Data Vulnerability - CVE-2019-14893 - Vulnerability Database
Jboss EAP

Jboss EAP Deserialization of Untrusted Data Vulnerability - CVE-2019-14893

Critical
Reference: CVE-2019-14893
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14893
Title: Jboss EAP Deserialization of Untrusted Data Vulnerability
Overview:

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0 where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.