Deserialization of Untrusted Data The advisory has been revoked - it doesn't affect any version of package xml-commons-resolver Open this link in a new tab

Threat Intelligence

EPSS 0.7% (81^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RHEL8-XMLCOMMONSRESOLVER-1366188
published 26 Jul 2021
disclosed 4 Jun 2019

Report a new vulnerability Found a mistake?

Introduced: 4 Jun 2019

CVE-2019-12814 Open this link in a new tab CWE-502 Open this link in a new tab CWE-200 Open this link in a new tab

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xml-commons-resolver package and not the xml-commons-resolver package as distributed by RHEL.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Deserialization of Untrusted Data The advisory has been revoked - it doesn't affect any version of package xml-commons-resolver Open this link in a new tab

Threat Intelligence

Introduced: 4 Jun 2019

Amendment

NVD Description

References