# [HIGH] Jackson Deserialization Vulnerability

**Source:** Snyk
**Published:** 2019-08-21
**Article:** https://snyk.io/blog/jackson-deserialization-vulnerability/

## Threat Profile

Snyk Blog In this article
Written by Brian Vermeer 
August 21, 2019
0 mins read On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability ( CVE-2019-14379 , CVE-2019-14439 ) affecting all versions of com.fasterxml.jackson.core:jackson-databind up to 2.9.9.2 was published.
For those of you who use Spring Boot, note that the current release (2.1.7) depends on the older vulnerable jackson-databind 2.9.9 package. 
We have already updated this in our database and the maintain…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2019-14379`
- **CVE:** `CVE-2019-14439`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2019-14379`, `CVE-2019-14439`


## Why this matters

Severity classified as **HIGH** based on: CVE present, 1 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.