cpe:/a:fasterxml:jackson-databind:2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:- cpe:/a:fasterxml:jackson-databind:2.7.0:rc1 cpe:/a:fasterxml:jackson-databind:2.7.0:rc2 cpe:/a:fasterxml:jackson-databind:2.7.0:rc3 cpe:/a:fasterxml:jackson-databind:2.7.1 cpe:/a:fasterxml:jackson-databind:2.7.1-1 cpe:/a:fasterxml:jackson-databind:2.7.2 cpe:/a:fasterxml:jackson-databind:2.7.3 cpe:/a:fasterxml:jackson-databind:2.7.4 cpe:/a:fasterxml:jackson-databind:2.7.5 cpe:/a:fasterxml:jackson-databind:2.7.6 cpe:/a:fasterxml:jackson-databind:2.7.7 cpe:/a:fasterxml:jackson-databind:2.7.8 cpe:/a:fasterxml:jackson-databind:2.7.9 cpe:/a:fasterxml:jackson-databind:2.7.9.1 cpe:/a:fasterxml:jackson-databind:2.7.9.2 cpe:/a:fasterxml:jackson-databind:2.7.9.3 cpe:/a:fasterxml:jackson-databind:2.7.9.4 cpe:/a:fasterxml:jackson-databind:2.7.9.5 cpe:/a:fasterxml:jackson-databind:2.8.0 cpe:/a:fasterxml:jackson-databind:2.8.1 cpe:/a:fasterxml:jackson-databind:2.8.2 cpe:/a:fasterxml:jackson-databind:2.8.3 cpe:/a:fasterxml:jackson-databind:2.8.4 cpe:/a:fasterxml:jackson-databind:2.8.5 cpe:/a:fasterxml:jackson-databind:2.8.6 cpe:/a:fasterxml:jackson-databind:2.8.7 cpe:/a:fasterxml:jackson-databind:2.8.8 cpe:/a:fasterxml:jackson-databind:2.8.8.1 cpe:/a:fasterxml:jackson-databind:2.8.9 cpe:/a:fasterxml:jackson-databind:2.8.10 cpe:/a:fasterxml:jackson-databind:2.8.11 cpe:/a:fasterxml:jackson-databind:2.8.11.1 cpe:/a:fasterxml:jackson-databind:2.8.11.2 cpe:/a:fasterxml:jackson-databind:2.8.11.3 cpe:/a:fasterxml:jackson-databind:2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:- cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease1 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease2 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease3 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease4 cpe:/a:fasterxml:jackson-databind:2.9.1 cpe:/a:fasterxml:jackson-databind:2.9.2 cpe:/a:fasterxml:jackson-databind:2.9.3 cpe:/a:fasterxml:jackson-databind:2.9.4 cpe:/a:fasterxml:jackson-databind:2.9.5 cpe:/a:fasterxml:jackson-databind:2.9.6 cpe:/a:fasterxml:jackson-databind:2.9.7 cpe:/a:fasterxml:jackson-databind:2.9.8 cpe:/a:fasterxml:jackson-databind:2.9.9 cpe:/o:debian:debian_linux:8.0 CVE-2019-12814 2019-06-19T10:15:10.897-04:00 2019-09-05T10:15:15.690-04:00 4.3 NETWORK MEDIUM NONE PARTIAL NONE NONE http://nvd.nist.gov FEDORA FEDORA-2019-99ff6aa32c FEDORA FEDORA-2019-ae6a703b8f FEDORA FEDORA-2019-fb23eccc03 REDHAT RHSA-2019:2858 REDHAT RHSA-2019:2935 REDHAT RHSA-2019:2936 REDHAT RHSA-2019:2937 REDHAT RHSA-2019:2938 REDHAT RHSA-2019:3044 REDHAT RHSA-2019:3045 REDHAT RHSA-2019:3046 REDHAT RHSA-2019:3050 MLIST [accumulo-commits] 20190723 [accumulo] branch 2.0 updated: Fix CVE-2019-12814 Use jackson-databind 2.9.9.1 MLIST [cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities MLIST [debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update MLIST [geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix MLIST [struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204 MLIST [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439 MLIST [zookeeper-dev] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190623 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190708 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190712 [jira] [Assigned] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190712 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190712 [jira] [Resolved] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-issues] 20190713 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190623 [GitHub] [zookeeper] eolivelli opened a new pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli closed pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli commented on issue #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190624 [GitHub] [zookeeper] phunt commented on a change in pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt closed pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 MLIST [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 CONFIRM https://github.com/FasterXML/jackson-databind/issues/2341 CONFIRM https://security.netapp.com/advisory/ntap-20190625-0006/ MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.