CVE-2019-12814: Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2019-12814 About?

This vulnerability is a Polymorphic Typing issue in FasterXML jackson-databind 2.x through 2.9.9. It allows unauthenticated remote attackers to read arbitrary local files if Default Typing is enabled and JDOM 1.x or 2.x is in the classpath. Exploitation involves crafting a special JSON message to trigger file reading during deserialization.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.1
- >2.8.0, <2.8.11.4
- >2.7.0, <2.7.9.6
- >2.0.0, <2.6.7.3

Technical Details

A Polymorphic Typing vulnerability affects FasterXML jackson-databind versions 2.x through 2.9.9. This issue occurs when 'Default Typing' is enabled (either globally or for a specific property) for an externally exposed JSON endpoint. If JDOM 1.x or 2.x jar is also present in the application's classpath, an attacker can send a specially crafted JSON message. This JSON exploits the deserialization process by directing jackson-databind to instantiate a JDOM-related class that, when constructed or initialized with attacker-controlled parameters, can be coerced into reading arbitrary local files from the server's filesystem. The attack leverages the ability to specify object types within the JSON, allowing the attacker to control which classes are loaded and how they are initialized, ultimately diverting the deserialization flow to perform an unintended file-read operation.

What is the Impact of CVE-2019-12814?

Successful exploitation may allow attackers to read arbitrary local files from the server, potentially leading to the disclosure of sensitive configuration files, source code, or other confidential data.

What is the Exploitability of CVE-2019-12814?

Exploitation requires Default Typing to be enabled in Jackson-databind and the presence of JDOM 1.x or 2.x in the application's classpath. The complexity is moderate, as it involves crafting a specific JSON payload that abuses the deserialization mechanism. No authentication or specific privileges are explicitly required if an endpoint that processes untrusted JSON input is exposed. This is a remote attack. The primary constraint is the specific configuration of Jackson-databind and available dependencies. The likelihood of exploitation increases in applications that blindly deserialize untrusted JSON with polymorphic typing enabled while also having the vulnerable JDOM dependency.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Al1ex	Link	CVE-2019-12814:Jackson JDOM XSLTransformer Gadget

What are the Available Fixes for CVE-2019-12814?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch adds the classes ch.qos.logback.core.db.DriverManagerConnectionSource, org.jdom.transform.XSLTransformer, and org.jdom2.transform.XSLTransformer to the list of blocked classes in SubTypeValidator, preventing them from being deserialized via polymorphic type handling. This mitigates CVE-2019-12814 by blocking classes known to allow remote code execution upon deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.6 → Upgrade to 2.7.9.6
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.4 → Upgrade to 2.8.11.4
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.9.1 → Upgrade to 2.9.9.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-12814?

Similar Vulnerabilities: CVE-2019-14439 , CVE-2019-16943 , CVE-2019-16335 , CVE-2019-14540 , CVE-2017-7525

CVE-2019-12814 Polymorphic Typing issue vulnerability in com.fasterxml.jackson.core:jackson-databind