LiveActive security incident?Get immediate response
CVE Record

CVE-2019-12814: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

MediumCVSS 5.9Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This flaw can expose local server files when vulnerable Jackson JSON handling is combined with JDOM and unsafe polymorphic typing on an internet-facing JSON endpoint. It is not a general Jackson remote-code-execution finding from the supplied evidence, but file disclosure can still expose credentials, configuration, or sensitive business data.

Executive priority

Handle as a targeted confidentiality risk. It deserves timely remediation for internet-facing Java services, especially where secrets may reside on disk, but the supplied evidence supports moderate urgency rather than emergency response.

Technical view

CVE-2019-12814 is a CWE-502 polymorphic typing issue in FasterXML jackson-databind 2.x through 2.9.9. Exposure requires Default Typing, an externally exposed JSON endpoint, and JDOM 1.x or 2.x on the classpath. The stated impact is arbitrary local file read with CVSS 3.1 score 5.9.

Likely exposure

Most likely in Java services using jackson-databind 2.x through 2.9.9, enabling Default Typing, accepting untrusted JSON over a public route, and packaging JDOM. Dependency scanners may flag transitive Jackson copies in platforms such as ZooKeeper, Accumulo, or TomEE.

Exploitation context

The supplied sources do not show CISA KEV listing or confirmed active exploitation. The CVSS vector marks network access, no privileges, no user interaction, but high attack complexity. Treat exposure as configuration-dependent rather than automatically exploitable wherever Jackson exists.

Researcher notes

The key validation gate is the full precondition chain: affected jackson-databind, Default Typing, exposed JSON input, and JDOM present. Apache threads show downstream projects responding to scanner findings and dependency updates, but the bundle does not provide exploit telemetry or a universal fixed version statement.

Mitigation direction

  • Inventory jackson-databind versions and upgrade affected packages using vendor guidance.
  • Disable Default Typing for untrusted JSON where feasible.
  • Remove unnecessary JDOM 1.x or 2.x dependencies from exposed services.
  • Prioritize externally reachable JSON endpoints for remediation first.
  • Apply distribution or project security updates, such as Debian package updates, where applicable.

Validation and detection

  • Confirm whether jackson-databind 2.x through 2.9.9 is present.
  • Check whether Default Typing is enabled globally or on exposed properties.
  • Identify public JSON endpoints accepting untrusted request bodies.
  • Verify whether JDOM 1.x or 2.x is on the runtime classpath.
  • Review dependency scanner findings for patched downstream package versions.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-12814 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.9 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
41Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.9CVSS 3.1MediumCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N2.23.6Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.9Medium
CVSS 3.1 vector shape for CVE-2019-12814Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-502 · source CWE mapping

Deserialization of Untrusted Data

Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.