Security readout for executives and security teams
Plain-English summary
This flaw can expose local server files when vulnerable Jackson JSON handling is combined with JDOM and unsafe polymorphic typing on an internet-facing JSON endpoint. It is not a general Jackson remote-code-execution finding from the supplied evidence, but file disclosure can still expose credentials, configuration, or sensitive business data.
Executive priority
Handle as a targeted confidentiality risk. It deserves timely remediation for internet-facing Java services, especially where secrets may reside on disk, but the supplied evidence supports moderate urgency rather than emergency response.
Technical view
CVE-2019-12814 is a CWE-502 polymorphic typing issue in FasterXML jackson-databind 2.x through 2.9.9. Exposure requires Default Typing, an externally exposed JSON endpoint, and JDOM 1.x or 2.x on the classpath. The stated impact is arbitrary local file read with CVSS 3.1 score 5.9.
Likely exposure
Most likely in Java services using jackson-databind 2.x through 2.9.9, enabling Default Typing, accepting untrusted JSON over a public route, and packaging JDOM. Dependency scanners may flag transitive Jackson copies in platforms such as ZooKeeper, Accumulo, or TomEE.
Exploitation context
The supplied sources do not show CISA KEV listing or confirmed active exploitation. The CVSS vector marks network access, no privileges, no user interaction, but high attack complexity. Treat exposure as configuration-dependent rather than automatically exploitable wherever Jackson exists.
Researcher notes
The key validation gate is the full precondition chain: affected jackson-databind, Default Typing, exposed JSON input, and JDOM present. Apache threads show downstream projects responding to scanner findings and dependency updates, but the bundle does not provide exploit telemetry or a universal fixed version statement.
Mitigation direction
- Inventory jackson-databind versions and upgrade affected packages using vendor guidance.
- Disable Default Typing for untrusted JSON where feasible.
- Remove unnecessary JDOM 1.x or 2.x dependencies from exposed services.
- Prioritize externally reachable JSON endpoints for remediation first.
- Apply distribution or project security updates, such as Debian package updates, where applicable.
Validation and detection
- Confirm whether jackson-databind 2.x through 2.9.9 is present.
- Check whether Default Typing is enabled globally or on exposed properties.
- Identify public JSON endpoints accepting untrusted request bodies.
- Verify whether JDOM 1.x or 2.x is on the runtime classpath.
- Review dependency scanner findings for patched downstream package versions.
Public sources used
- CVE Program
- CVE List V5
- Debian LTS DLA 1831-1 jackson-databind security update
- Apache ZooKeeper issue created for CVE-2019-12814 scanner finding
- Apache ZooKeeper issue resolved for CVE-2019-12814 scanner finding
- Apache Accumulo branch update using jackson-databind 2.9.9.1
- Apache TomEE update to jackson-databind 2.9.9.3
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2019-12814 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.9 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N2.23.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
5.9MediumVector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- [debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security updateCVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190623 [GitHub] [zookeeper] eolivelli opened a new pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190623 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-dev] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli closed pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190624 [GitHub] [zookeeper] phunt commented on a change in pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli commented on issue #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190708 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt closed pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190712 [jira] [Assigned] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190712 [jira] [Resolved] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190712 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [zookeeper-issues] 20190713 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814CVE reference · mailing-list, x_refsource_MLIST
- [accumulo-commits] 20190723 [accumulo] branch 2.0 updated: Fix CVE-2019-12814 Use jackson-databind 2.9.9.1CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439CVE reference · mailing-list, x_refsource_MLIST
- [struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204CVE reference · mailing-list, x_refsource_MLIST
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
