Skip to main content

CVE-2019-12814: n/a in n/a

High
VulnerabilityCVE-2019-12814cvecve-2019-12814
Published: Wed Jun 19 2019 (06/19/2019, 13:24:44 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

AI-Powered Analysis

AILast updated: 06/25/2025, 17:22:39 UTC

Technical Analysis

CVE-2019-12814 is a security vulnerability identified in the FasterXML jackson-databind library versions 2.x through 2.9.9. The vulnerability arises from a polymorphic typing issue when Default Typing is enabled either globally or on specific properties in JSON deserialization processes. Jackson-databind is a widely used Java library for processing JSON data, and enabling Default Typing allows the deserializer to infer and instantiate Java types dynamically based on type information embedded in JSON payloads. This feature, while flexible, can be exploited if not properly controlled. The vulnerability specifically manifests when the application using jackson-databind also includes the JDOM 1.x or 2.x library in its classpath. JDOM is a Java-based document object model for XML that is commonly used in Java applications for XML parsing and manipulation. An attacker can craft a malicious JSON payload that leverages polymorphic deserialization to instantiate JDOM classes in a way that triggers the reading of arbitrary local files on the server. This results in an information disclosure vulnerability, allowing unauthorized access to sensitive files on the host system. The attack vector requires that the JSON endpoint is externally exposed and that Default Typing is enabled, which is often discouraged in secure configurations but may be present in legacy or misconfigured systems. There is no indication of known exploits in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability was published on June 19, 2019, and is recognized by CISA, indicating its relevance to cybersecurity stakeholders. The absence of a CVSS score suggests that the severity assessment must be inferred from the technical details and potential impact.

Potential Impact

For European organizations, the impact of CVE-2019-12814 can be significant, especially for those relying on Java-based web services that use jackson-databind with Default Typing enabled and include JDOM libraries. Successful exploitation can lead to unauthorized disclosure of sensitive local files, which may contain configuration files, credentials, personal data, or intellectual property. This compromises confidentiality and could facilitate further attacks such as privilege escalation or lateral movement within the network. Critical sectors such as finance, healthcare, government, and telecommunications in Europe often deploy Java-based applications and may be at risk if they have not updated or audited their jackson-databind usage. The vulnerability does not directly impact system integrity or availability but can undermine trust and compliance with data protection regulations like GDPR due to data leakage. Since exploitation requires an externally exposed JSON endpoint with Default Typing enabled, organizations with internet-facing APIs or microservices are particularly vulnerable. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often reverse engineer such vulnerabilities over time.

Mitigation Recommendations

To mitigate CVE-2019-12814, European organizations should take the following specific actions: 1) Audit all Java applications and services to identify usage of jackson-databind, particularly versions 2.x through 2.9.9, and check if Default Typing is enabled globally or on any properties. 2) Disable Default Typing wherever possible, as it is a known source of deserialization vulnerabilities. If polymorphic deserialization is necessary, restrict allowed types explicitly using jackson-databind's SubtypeValidator or similar mechanisms to whitelist safe classes. 3) Remove or update the JDOM library if it is not required; if required, consider upgrading to versions that are not susceptible or isolating its usage. 4) Implement strict input validation and filtering on JSON endpoints to prevent malicious payloads. 5) Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting suspicious deserialization patterns. 6) Monitor logs for unusual file access patterns or errors related to JSON deserialization. 7) Where possible, upgrade jackson-databind to versions beyond 2.9.9 where this vulnerability is addressed. 8) Conduct penetration testing focused on deserialization attacks to verify the effectiveness of mitigations. These steps go beyond generic advice by focusing on configuration auditing, library management, and runtime protections tailored to the specific vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2019-06-13T00:00:00.000Z
Cisa Enriched
true
Cvss Version
null
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed040

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 6/25/2025, 5:22:39 PM

Last updated: 8/11/2025, 1:41:45 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats