CVE-2019-14893: Deserialization of Untrusted Data

March 2, 2020 (updated March 4, 2020)

A flaw was discovered in FasterXML jackson-databind that permits polymorphic deserialization of malicious objects. Specifically when the xalan JNDI gadget is used in conjunction with polymorphic type handling methods such as enableDefaultTyping(). The gadget may also be combined with @JsonTypeInfo when it is using Id.CLASS or Id.MINIMAL_CLASS, or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
nvd.nist.gov/vuln/detail/CVE-2019-14893

Code Behaviors & Features

Detect and mitigate CVE-2019-14893 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →