CVE-2019-10172
Published: 18 November 2019
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
From the Ubuntu Security Team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libjackson-json-java Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(1.9.13-2)
|
|
| impish |
Not vulnerable
(1.9.13-2)
|
|
| jammy |
Not vulnerable
(1.9.13-2)
|
|
| kinetic |
Not vulnerable
(1.9.13-2)
|
|
| lunar |
Not vulnerable
(1.9.13-2)
|
|
| mantic |
Not vulnerable
(1.9.13-2)
|
|
| noble |
Not vulnerable
(1.9.13-2)
|
|
| trusty |
Released
(1.9.2-3+deb8u1build0.14.04.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.9.2-7ubuntu0.2)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1715075
- https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
- https://github.com/FasterXML/jackson-1/pull/1
- https://ubuntu.com/security/notices/USN-4741-1
- https://www.cve.org/CVERecord?id=CVE-2019-10172
- NVD
- Launchpad
- Debian