CVE-2019-16942 in jackson-databindinfo

Summary

by MITRE

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/19/2025

The vulnerability CVE-2019-16942 represents a critical polymorphic typing flaw within the FasterXML jackson-databind library that enables remote code execution under specific conditions. This issue affects versions ranging from 2.0.0 through 2.9.10 and stems from the dangerous combination of default typing configuration with particular database connection pool components. The vulnerability operates through a sophisticated chain of exploitation that leverages the interaction between JSON deserialization and database connection pooling mechanisms.

The technical flaw manifests when Default Typing is enabled in jackson-databind, creating a pathway for attackers to manipulate serialized objects during deserialization. The vulnerability specifically targets org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource classes which mishandle the polymorphic typing process. When these components encounter maliciously crafted JSON input, they can trigger the instantiation of arbitrary classes, effectively bypassing normal security boundaries. The attack requires the presence of commons-dbcp 1.4 jar in the classpath, making it a classpath-dependent vulnerability that cannot be exploited in isolation.

The operational impact of this vulnerability is severe and potentially devastating for affected systems. An attacker who controls an externally exposed JSON endpoint can execute arbitrary code on the target system with the privileges of the running application. This represents a complete compromise of system security and can lead to data exfiltration, privilege escalation, and further network infiltration. The vulnerability enables attackers to leverage RMI service endpoints as attack vectors, making it particularly dangerous in enterprise environments where RMI services are commonly deployed. The attack chain allows for remote code execution without requiring authentication, making it an attractive target for automated exploitation.

The vulnerability aligns with CWE-502 which describes "Deserialization of Untrusted Data" and maps to ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PowerShell" and T1068 for "Exploitation for Privilege Escalation." Organizations affected by this vulnerability should immediately disable default typing in jackson-databind or implement strict type validation. The recommended mitigation includes upgrading to jackson-databind version 2.9.10.1 or later, which contains fixes for this specific vulnerability. Additionally, organizations should review their classpaths to remove or isolate commons-dbcp 1.4 components and implement proper input validation and sanitization measures. Network segmentation and monitoring for suspicious RMI activity can provide additional defense layers against exploitation attempts.

Reservation

09/29/2019

Moderation

accepted

CPE

ready

EPSS

0.05728

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!