CVE-2019-10172
Published: 18 November 2019
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
From the Ubuntu Security Team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libjackson-json-java Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Not vulnerable
(1.9.13-2)
|
|
| impish |
Not vulnerable
(1.9.13-2)
|
|
| jammy |
Not vulnerable
(1.9.13-2)
|
|
| kinetic |
Not vulnerable
(1.9.13-2)
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(1.9.2-3+deb8u1build0.14.04.1~esm1)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.9.2-7ubuntu0.2)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
- https://bugzilla.redhat.com/show_bug.cgi?id=1715075
- https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
- https://github.com/FasterXML/jackson-1/pull/1
- https://ubuntu.com/security/notices/USN-4741-1
- NVD
- Launchpad
- Debian