VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tm7y-tnx3-43dq

Essentials
Severities (21)
References (21)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tm7y-tnx3-43dq
Aliases	CVE-2019-14893 GHSA-qmqc-x3r4-6v39
Summary	Polymorphic deserialization of malicious object in jackson-databind A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2020:0729
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14893.json
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
epss	0.00956	https://api.first.org/data/v1/epss?cve=CVE-2019-14893
generic_textual	HIGH	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qmqc-x3r4-6v39
generic_textual	HIGH	https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317
generic_textual	HIGH	https://github.com/FasterXML/jackson-databind/issues/2469
generic_textual	HIGH	https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
generic_textual	HIGH	https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2019-14893
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20200327-0006
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpujul2020.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpuoct2020.html

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2020:0729
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14893.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-14893
		https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
		https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317
		https://github.com/FasterXML/jackson-databind/issues/2469
		https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
		https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
		https://nvd.nist.gov/vuln/detail/CVE-2019-14893
		https://security.netapp.com/advisory/ntap-20200327-0006
		https://security.netapp.com/advisory/ntap-20200327-0006/
		https://www.oracle.com/security-alerts/cpujul2020.html
		https://www.oracle.com/security-alerts/cpuoct2020.html
1758182		https://bugzilla.redhat.com/show_bug.cgi?id=1758182
GHSA-qmqc-x3r4-6v39		https://github.com/advisories/GHSA-qmqc-x3r4-6v39
RHSA-2020:0895		https://access.redhat.com/errata/RHSA-2020:0895
RHSA-2020:0899		https://access.redhat.com/errata/RHSA-2020:0899
RHSA-2020:2067		https://access.redhat.com/errata/RHSA-2020:2067
RHSA-2020:2333		https://access.redhat.com/errata/RHSA-2020:2333
RHSA-2020:3192		https://access.redhat.com/errata/RHSA-2020:3192

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14893.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.76377
EPSS Score	0.00956
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:00:33.981235+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qmqc-x3r4-6v39/GHSA-qmqc-x3r4-6v39.json	38.0.0