CVE-2019-16943 [Critical] | Security Vulnerability in Jackson-Databind

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	1.84%	4.86%	+3.02%
2	2026-06-10	1.89%	1.84%	-0.05%
3	2026-05-28	—	1.89%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

1.84%

4.86%

+3.02%

2026-06-10

1.89%

1.84%

-0.05%

2026-05-28

—

1.89%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2019-16943

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2019-16943 not yet assigned priority: Debian including 1 source packages (jackson-databind), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2019-16943
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2019-16943
`suse`	high	CVE-2019-16943 severity important: SUSE including 56 source package names (apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c, apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c, …), 72 product×package rows across 17 product lines (SUSE Enterprise Storage 7.1, SUSE Liberty Linux 8, … (17 product lines)): Fixed 54, Known Not Affected 18.	https://www.suse.com/security/cve/CVE-2019-16943/
`ubuntu`	medium	CVE-2019-16943 medium priority: Ubuntu including 1 source packages (jackson-databind), 18 status rows across 18 suites (bionic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 12, needs-triage 3, ignored 2, released 1.	https://ubuntu.com/security/CVE-2019-16943

Affected software / configurations for CVE-2019-16943

Vendor	Product	Version	Raw CPE
fasterxml	jackson-databind	>= 2.0.0, < 2.6.7.3	cpe:2.3:a:fasterxml:jackson-databind::::::::
fasterxml	jackson-databind	>= 2.7.0, < 2.8.11.5	cpe:2.3:a:fasterxml:jackson-databind::::::::
fasterxml	jackson-databind	>= 2.9.0, < 2.9.10.1	cpe:2.3:a:fasterxml:jackson-databind::::::::
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
fedoraproject	fedora	30	cpe:2.3:o:fedoraproject:fedora:30:::::::*
fedoraproject	fedora	31	cpe:2.3:o:fedoraproject:fedora:31:::::::*
redhat	jboss_enterprise_application_platform	7.2	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
redhat	jboss_enterprise_application_platform	7.3	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
oracle	banking_platform	2.4.0	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
oracle	banking_platform	2.4.1	cpe:2.3:a:oracle:banking_platform:2.4.1:::::::*
oracle	banking_platform	2.5.0	cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*
oracle	banking_platform	2.6.0	cpe:2.3:a:oracle:banking_platform:2.6.0:::::::*
oracle	banking_platform	2.6.1	cpe:2.3:a:oracle:banking_platform:2.6.1:::::::*
oracle	banking_platform	2.6.2	cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
oracle	banking_platform	2.7.0	cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
oracle	banking_platform	2.7.1	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
oracle	banking_platform	2.9.0	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
oracle	communications_billing_and_revenue_management	7.5.0.23.0	cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::*
oracle	communications_billing_and_revenue_management	12.0.0.3.0	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
oracle	communications_calendar_server	8.0.0.2.0	cpe:2.3:a:oracle:communications_calendar_server:8.0.0.2.0:::::::*
oracle	communications_calendar_server	8.0.0.3.0	cpe:2.3:a:oracle:communications_calendar_server:8.0.0.3.0:::::::*
oracle	communications_cloud_native_core_network_slice_selection_function	1.2.1	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
oracle	communications_evolved_communications_application_server	7.1	cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::*
oracle	global_lifecycle_management_nextgen_oui_framework	12.2.1.3.0	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.3.0:::::::*
oracle	global_lifecycle_management_nextgen_oui_framework	12.2.1.4.0	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:12.2.1.4.0:::::::*
oracle	global_lifecycle_management_nextgen_oui_framework	13.9.4.2.2	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
oracle	goldengate_application_adapters	19.1.0.0.0	cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:::::::*
oracle	jd_edwards_enterpriseone_orchestrator	9.2	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:::::::*
oracle	jd_edwards_enterpriseone_tools	9.2	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
oracle	primavera_gateway	>= 17.7, <= 17.12.6	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	>= 18.8.0, <= 18.8.8	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	16.1	cpe:2.3:a:oracle:primavera_gateway:16.1:::::::*
oracle	primavera_gateway	16.2	cpe:2.3:a:oracle:primavera_gateway:16.2:::::::*
oracle	primavera_gateway	19.12.0	cpe:2.3:a:oracle:primavera_gateway:19.12.0:::::::*
oracle	retail_merchandising_system	15.0.3	cpe:2.3:a:oracle:retail_merchandising_system:15.0.3:::::::*
oracle	retail_merchandising_system	16.0.2	cpe:2.3:a:oracle:retail_merchandising_system:16.0.2:::::::*
oracle	retail_merchandising_system	16.0.3	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
oracle	retail_sales_audit	14.1	cpe:2.3:a:oracle:retail_sales_audit:14.1:::::::*
oracle	siebel_engineering_-_installer_\&_deployment	<= 2.20.5	cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::
oracle	trace_file_analyzer	12.2.0.1	cpe:2.3:a:oracle:trace_file_analyzer:12.2.0.1:::::::*
oracle	trace_file_analyzer	18c	cpe:2.3:a:oracle:trace_file_analyzer:18c:::::::*
oracle	trace_file_analyzer	19c	cpe:2.3:a:oracle:trace_file_analyzer:19c:::::::*
oracle	webcenter_portal	12.2.1.3.0	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
oracle	webcenter_portal	12.2.1.4.0	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
oracle	webcenter_sites	12.2.1.3.0	cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:::::::*
oracle	webcenter_sites	12.2.1.4.0	cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*
oracle	weblogic_server	12.2.1.3.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
oracle	weblogic_server	12.2.1.4.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
netapp	active_iq_unified_manager	>= 7.3	cpe:2.3:a:netapp:active_iq_unified_manager::::::linux::*
netapp	active_iq_unified_manager	>= 7.3	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
netapp	active_iq_unified_manager	>= 9.5	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
netapp	oncommand_api_services	—	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
netapp	service_level_manager	—	cpe:2.3:a:netapp:service_level_manager:-:::::::*
netapp	steelstore_cloud_integrated_storage	—	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*

References for CVE-2019-16943

URL	Tags
https://access.redhat.com/errata/RHSA-2020:0159	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445	Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2478	Patch Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd%40%3Ccommits.iceberg.apache.org%3E
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
https://seclists.org/bugtraq/2019/Oct/6	Issue Tracking Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0006/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4542	Mailing List Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory

URL

CVE-2019-16943

Exploit prediction scoring system (EPSS) score for CVE-2019-16943

Common vulnerability scoring system (CVSS) metrics for CVE-2019-16943

Weakness enumeration for CVE-2019-16943

GitHub Security Advisory for CVE-2019-16943

OS Trackers for CVE-2019-16943

Affected software / configurations for CVE-2019-16943

References for CVE-2019-16943