CVE-2019-14893: Deserialization of Untrusted Data
(updated )
A flaw was discovered in FasterXML jackson-databind that permits polymorphic deserialization of malicious objects. Specifically when the xalan JNDI gadget is used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
. The gadget may also be combined with @JsonTypeInfo
when it is using Id.CLASS
or Id.MINIMAL_CLASS
, or in any other way which ObjectMapper.readValue
might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
References
Detect and mitigate CVE-2019-14893 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →