CVE-2019-12814: n/a in n/a
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
AI Analysis
Technical Summary
CVE-2019-12814 is a security vulnerability identified in the FasterXML jackson-databind library versions 2.x through 2.9.9. The vulnerability arises from a polymorphic typing issue when Default Typing is enabled either globally or on specific properties in JSON deserialization processes. Jackson-databind is a widely used Java library for processing JSON data, and enabling Default Typing allows the deserializer to infer and instantiate Java types dynamically based on type information embedded in JSON payloads. This feature, while flexible, can be exploited if not properly controlled. The vulnerability specifically manifests when the application using jackson-databind also includes the JDOM 1.x or 2.x library in its classpath. JDOM is a Java-based document object model for XML that is commonly used in Java applications for XML parsing and manipulation. An attacker can craft a malicious JSON payload that leverages polymorphic deserialization to instantiate JDOM classes in a way that triggers the reading of arbitrary local files on the server. This results in an information disclosure vulnerability, allowing unauthorized access to sensitive files on the host system. The attack vector requires that the JSON endpoint is externally exposed and that Default Typing is enabled, which is often discouraged in secure configurations but may be present in legacy or misconfigured systems. There is no indication of known exploits in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability was published on June 19, 2019, and is recognized by CISA, indicating its relevance to cybersecurity stakeholders. The absence of a CVSS score suggests that the severity assessment must be inferred from the technical details and potential impact.
Potential Impact
For European organizations, the impact of CVE-2019-12814 can be significant, especially for those relying on Java-based web services that use jackson-databind with Default Typing enabled and include JDOM libraries. Successful exploitation can lead to unauthorized disclosure of sensitive local files, which may contain configuration files, credentials, personal data, or intellectual property. This compromises confidentiality and could facilitate further attacks such as privilege escalation or lateral movement within the network. Critical sectors such as finance, healthcare, government, and telecommunications in Europe often deploy Java-based applications and may be at risk if they have not updated or audited their jackson-databind usage. The vulnerability does not directly impact system integrity or availability but can undermine trust and compliance with data protection regulations like GDPR due to data leakage. Since exploitation requires an externally exposed JSON endpoint with Default Typing enabled, organizations with internet-facing APIs or microservices are particularly vulnerable. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often reverse engineer such vulnerabilities over time.
Mitigation Recommendations
To mitigate CVE-2019-12814, European organizations should take the following specific actions: 1) Audit all Java applications and services to identify usage of jackson-databind, particularly versions 2.x through 2.9.9, and check if Default Typing is enabled globally or on any properties. 2) Disable Default Typing wherever possible, as it is a known source of deserialization vulnerabilities. If polymorphic deserialization is necessary, restrict allowed types explicitly using jackson-databind's SubtypeValidator or similar mechanisms to whitelist safe classes. 3) Remove or update the JDOM library if it is not required; if required, consider upgrading to versions that are not susceptible or isolating its usage. 4) Implement strict input validation and filtering on JSON endpoints to prevent malicious payloads. 5) Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting suspicious deserialization patterns. 6) Monitor logs for unusual file access patterns or errors related to JSON deserialization. 7) Where possible, upgrade jackson-databind to versions beyond 2.9.9 where this vulnerability is addressed. 8) Conduct penetration testing focused on deserialization attacks to verify the effectiveness of mitigations. These steps go beyond generic advice by focusing on configuration auditing, library management, and runtime protections tailored to the specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2019-12814: n/a in n/a
Description
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
AI-Powered Analysis
Technical Analysis
CVE-2019-12814 is a security vulnerability identified in the FasterXML jackson-databind library versions 2.x through 2.9.9. The vulnerability arises from a polymorphic typing issue when Default Typing is enabled either globally or on specific properties in JSON deserialization processes. Jackson-databind is a widely used Java library for processing JSON data, and enabling Default Typing allows the deserializer to infer and instantiate Java types dynamically based on type information embedded in JSON payloads. This feature, while flexible, can be exploited if not properly controlled. The vulnerability specifically manifests when the application using jackson-databind also includes the JDOM 1.x or 2.x library in its classpath. JDOM is a Java-based document object model for XML that is commonly used in Java applications for XML parsing and manipulation. An attacker can craft a malicious JSON payload that leverages polymorphic deserialization to instantiate JDOM classes in a way that triggers the reading of arbitrary local files on the server. This results in an information disclosure vulnerability, allowing unauthorized access to sensitive files on the host system. The attack vector requires that the JSON endpoint is externally exposed and that Default Typing is enabled, which is often discouraged in secure configurations but may be present in legacy or misconfigured systems. There is no indication of known exploits in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability was published on June 19, 2019, and is recognized by CISA, indicating its relevance to cybersecurity stakeholders. The absence of a CVSS score suggests that the severity assessment must be inferred from the technical details and potential impact.
Potential Impact
For European organizations, the impact of CVE-2019-12814 can be significant, especially for those relying on Java-based web services that use jackson-databind with Default Typing enabled and include JDOM libraries. Successful exploitation can lead to unauthorized disclosure of sensitive local files, which may contain configuration files, credentials, personal data, or intellectual property. This compromises confidentiality and could facilitate further attacks such as privilege escalation or lateral movement within the network. Critical sectors such as finance, healthcare, government, and telecommunications in Europe often deploy Java-based applications and may be at risk if they have not updated or audited their jackson-databind usage. The vulnerability does not directly impact system integrity or availability but can undermine trust and compliance with data protection regulations like GDPR due to data leakage. Since exploitation requires an externally exposed JSON endpoint with Default Typing enabled, organizations with internet-facing APIs or microservices are particularly vulnerable. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often reverse engineer such vulnerabilities over time.
Mitigation Recommendations
To mitigate CVE-2019-12814, European organizations should take the following specific actions: 1) Audit all Java applications and services to identify usage of jackson-databind, particularly versions 2.x through 2.9.9, and check if Default Typing is enabled globally or on any properties. 2) Disable Default Typing wherever possible, as it is a known source of deserialization vulnerabilities. If polymorphic deserialization is necessary, restrict allowed types explicitly using jackson-databind's SubtypeValidator or similar mechanisms to whitelist safe classes. 3) Remove or update the JDOM library if it is not required; if required, consider upgrading to versions that are not susceptible or isolating its usage. 4) Implement strict input validation and filtering on JSON endpoints to prevent malicious payloads. 5) Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting suspicious deserialization patterns. 6) Monitor logs for unusual file access patterns or errors related to JSON deserialization. 7) Where possible, upgrade jackson-databind to versions beyond 2.9.9 where this vulnerability is addressed. 8) Conduct penetration testing focused on deserialization attacks to verify the effectiveness of mitigations. These steps go beyond generic advice by focusing on configuration auditing, library management, and runtime protections tailored to the specific vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2019-06-13T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d983ac4522896dcbed040
Added to database: 5/21/2025, 9:09:14 AM
Last enriched: 6/25/2025, 5:22:39 PM
Last updated: 8/11/2025, 1:41:45 PM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.