cve/2019/CVE-2019-14892.md

### [CVE-2019-14892](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14892)
![](https://img.shields.io/static/v1?label=Product&message=jackson-databind&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Versions%20before%202.6.7.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Versions%20before%202.8.11.5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Versions%20before%202.9.10%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-200&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502&color=brightgreen)

### Description

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

### POC

#### Reference
- https://github.com/FasterXML/jackson-databind/issues/2462

#### Github
- https://github.com/A-TPL-Bench/LibHunter
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Anonymous-Phunter/PHunter
- https://github.com/CGCL-codes/LibHunter
- https://github.com/CGCL-codes/PHunter
- https://github.com/LibHunter/LibHunter
- https://github.com/Live-Hack-CVE/CVE-2019-14892
- https://github.com/OWASP/www-project-ide-vulscanner
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/fossas/cse-challenge-dropwizard
- https://github.com/seal-community/patches