From ac8092a1878b190b9b7207e0b76d7ff30fc76f43 Mon Sep 17 00:00:00 2001
From: Guilherme de Almeida Suckevicz <gsuckevi@redhat.com>
Date: Mon, 2 Mar 2020 15:08:31 -0300
Subject: [PATCH] CVE-2019-14893 init.

---
 2019/14xxx/CVE-2019-14893.json | 87 ++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 2019/14xxx/CVE-2019-14893.json

diff --git a/2019/14xxx/CVE-2019-14893.json b/2019/14xxx/CVE-2019-14893.json
new file mode 100644
index 00000000000..c61cd8a0178
--- /dev/null
+++ b/2019/14xxx/CVE-2019-14893.json
@@ -0,0 +1,87 @@
+{
+    "data_type": "CVE",
+    "data_format": "MITRE",
+    "data_version": "4.0",
+    "CVE_data_meta": {
+        "ID": "CVE-2019-14893",
+        "ASSIGNER": "gsuckevi@redhat.com"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "vendor_name": "Red Hat",
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "jackson-databind",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "2.9.10"
+                                        },
+                                        {
+                                            "version_value": "2.10.0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    }
+                }
+            ]
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-502"
+                    }
+                ]
+            },
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-200"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893",
+                "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893",
+                "refsource": "CONFIRM"
+            },
+            {
+                "url": "https://github.com/FasterXML/jackson-databind/issues/2469",
+                "name": "https://github.com/FasterXML/jackson-databind/issues/2469",
+                "refsource": "MISC"
+            }
+        ]
+    },
+    "description": {
+        "description_data": [
+            {
+                "lang": "eng",
+                "value": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code."
+            }
+        ]
+    },
+    "impact": {
+        "cvss": [
+            [
+                {
+                    "vectorString": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+                    "version": "3.0"
+                }
+            ]
+        ]
+    }
+}
\ No newline at end of file