Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-14718 (GCVE-0-2018-14718)
Vulnerability from cvelistv5 – Published: 2019-01-02 18:00 – Updated: 2024-08-05 09:38
VLAI
EPSS
Summary
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
35 references
Date Public
2018-07-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"name": "[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "RHSA-2019:0782",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"name": "106601",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106601"
},
{
"name": "RHSA-2019:0877",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"name": "RHBA-2019:0959",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"name": "DSA-4452",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"name": "RHSA-2019:1782",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"name": "RHSA-2019:1797",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"name": "RHSA-2019:1822",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"name": "RHSA-2019:1823",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"name": "RHSA-2019:2804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3002",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"name": "RHSA-2019:3140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "RHSA-2019:4037",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-25T00:06:19.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"name": "[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E"
},
{
"name": "RHSA-2019:0782",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"name": "106601",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106601"
},
{
"name": "RHSA-2019:0877",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"name": "RHBA-2019:0959",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"name": "DSA-4452",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"name": "RHSA-2019:1782",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"name": "RHSA-2019:1797",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"name": "RHSA-2019:1822",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"name": "RHSA-2019:1823",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"name": "RHSA-2019:2804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3002",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"name": "RHSA-2019:3140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "RHSA-2019:4037",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"name": "[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E"
},
{
"name": "RHSA-2019:0782",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"name": "106601",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106601"
},
{
"name": "RHSA-2019:0877",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"name": "RHBA-2019:0959",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"name": "DSA-4452",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"name": "RHSA-2019:1782",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"name": "RHSA-2019:1797",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"name": "RHSA-2019:1822",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"name": "RHSA-2019:1823",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"name": "RHSA-2019:2804",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"name": "RHSA-2019:2858",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3002",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"name": "RHSA-2019:3140",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "RHSA-2019:4037",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190530-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2097",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"name": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14718",
"datePublished": "2019-01-02T18:00:00.000Z",
"dateReserved": "2018-07-28T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:13.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-14718",
"date": "2026-05-26",
"epss": "0.14515",
"percentile": "0.94539"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.6.7.3\", \"matchCriteriaId\": \"7036DA13-110D-40B3-8494-E361BBF4AFCD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.7.0\", \"versionEndExcluding\": \"2.7.9.5\", \"matchCriteriaId\": \"B99066EB-FF79-4D9D-9466-B04AD4D3A814\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.8.0\", \"versionEndExcluding\": \"2.8.11.3\", \"matchCriteriaId\": \"F4D3858C-DAF3-4522-90EC-EFCD13BD121E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.9.0\", \"versionEndExcluding\": \"2.9.7\", \"matchCriteriaId\": \"4DA01839-5250-43A7-AFB7-871DC9B8AB32\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"35AD0C07-9688-4397-8D45-FBB88C0F0C11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8972497F-6E24-45A9-9A18-EB0E842CB1D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"400509A8-D6F2-432C-A2F1-AD5B8778D0D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"132CE62A-FBFC-4001-81EC-35D81F73AF48\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B887E174-57AB-449D-AEE4-82DD1A3E5C84\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E869C417-C0E6-4FC3-B406-45598A1D1906\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7231AF76-3D46-41C4-83E9-6E9E12940BD9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD945A04-174C-46A2-935D-4F92631D1018\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A9E97F04-00ED-48E9-AB40-7A02B3419641\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FCCE5A11-39E7-4BBB-9E1A-BA4B754103BB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5AEC7F5-C353-4CF5-96CE-8C713A2B0C92\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BB79BB43-E0AB-4F0D-A6EA-000485757EEC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F238CB66-886D-47E8-8DC0-7FC2025771EB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59B7B8AD-1210-4C40-8EF7-E2E8156630A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0DE4A291-4358-42A9-A68D-E59D9998A1CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0D19CF00-FE20-4690-AAB7-8E9DBC68A94F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A030A498-3361-46F8-BB99-24A66CAE11CA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"11.2.0.3.23\", \"matchCriteriaId\": \"F6455EB1-C741-45E8-A53E-E7AD7A5D00EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.2.0.1.0\", \"versionEndExcluding\": \"12.2.0.1.19\", \"matchCriteriaId\": \"BFD43191-E67F-4D1B-967B-3C7B20331945\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"13.9.4.0.0\", \"versionEndExcluding\": \"13.9.4.2.1\", \"matchCriteriaId\": \"062C588A-CBBA-470F-8D11-2F961922E927\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"989598A3-7012-4F57-B172-02404E20D16D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"042C243F-EDFE-4A04-AB0B-26E73CC34837\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"19.3.12\", \"matchCriteriaId\": \"63C59FA7-F321-4475-9F71-D78E0C890866\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:nosql_database:19.3.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E215743-2B5D-4EA5-A8F5-BBEC4DC85C35\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"17.7\", \"versionEndIncluding\": \"17.12\", \"matchCriteriaId\": \"7A1E1023-2EB9-4334-9B74-CA71480F71C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"93A4E178-0082-45C5-BBC0-0A4E51C8B1DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3F021C23-AB9B-4877-833F-D01359A98762\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F8ED016-32A1-42EE-844E-3E6B2C116B74\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A046CC2C-445F-4336-8810-930570B4FEC6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0745445C-EC43-4091-BA7C-5105AFCC6F1F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"17.7\", \"versionEndIncluding\": \"17.12\", \"matchCriteriaId\": \"08FA59A8-6A62-4B33-8952-D6E658F8DAC9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D55A54FD-7DD1-49CD-BE81-0BE73990943C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"82EB08C0-2D46-4635-88DF-E54F6452D3A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"202AD518-2E9B-4062-B063-9858AE1F9CE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A7FBF5C7-EC73-4CE4-8CB7-E9CF5705DB25\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"792DF04A-2D1B-40B5-B960-3E7152732EB8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"46525CA6-4226-4F6F-B899-D800D4DDE0B5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9967AAFD-2199-4668-9105-207D4866B707\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:siebel_engineering_-_installer_\\\\\u0026_deployment:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"19.8\", \"matchCriteriaId\": \"25993ED6-D4C7-4B68-9F87-274B757A88CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"19.10\", \"matchCriteriaId\": \"2F10FB4D-A29B-42B4-B70E-EB82A93F2218\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D6A4F71A-4269-40FC-8F61-1D1301F2B728\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5735E553-9731-4AAC-BCFF-989377F817B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BDFB1169-41A0-4A86-8E4F-FDA9730B1E94\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E94F7F59-1785-493F-91A7-5F5EA5E87E4D\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.11\", \"versionEndExcluding\": \"3.11.153\", \"matchCriteriaId\": \"3A76E5BF-01E4-46E7-8E3B-5ACE75657360\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6\", \"versionEndExcluding\": \"4.6.26\", \"matchCriteriaId\": \"E9A6D103-9674-4B04-8397-86501F1D91CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4DBCD38F-BBE8-488C-A8C3-5782F191D915\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.1\", \"versionEndExcluding\": \"4.1.18\", \"matchCriteriaId\": \"D2452F48-6A8B-4274-B0CE-F1256F400170\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\"}, {\"lang\": \"es\", \"value\": \"Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podr\\u00edan permitir a los atacantes remotos ejecutar c\\u00f3digo arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserializaci\\u00f3n polim\\u00f3rfica.\"}]",
"id": "CVE-2018-14718",
"lastModified": "2024-11-21T03:49:39.707",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-01-02T18:29:00.310",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/106601\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/May/68\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4452\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/106601\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/May/68\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4452\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-14718\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-01-02T18:29:00.310\",\"lastModified\":\"2024-11-21T03:49:39.707\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\"},{\"lang\":\"es\",\"value\":\"Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podr\u00edan permitir a los atacantes remotos ejecutar c\u00f3digo arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserializaci\u00f3n polim\u00f3rfica.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.6.7.3\",\"matchCriteriaId\":\"7036DA13-110D-40B3-8494-E361BBF4AFCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.7.0\",\"versionEndExcluding\":\"2.7.9.5\",\"matchCriteriaId\":\"B99066EB-FF79-4D9D-9466-B04AD4D3A814\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.11.3\",\"matchCriteriaId\":\"F4D3858C-DAF3-4522-90EC-EFCD13BD121E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndExcluding\":\"2.9.7\",\"matchCriteriaId\":\"4DA01839-5250-43A7-AFB7-871DC9B8AB32\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"35AD0C07-9688-4397-8D45-FBB88C0F0C11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8972497F-6E24-45A9-9A18-EB0E842CB1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"400509A8-D6F2-432C-A2F1-AD5B8778D0D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"132CE62A-FBFC-4001-81EC-35D81F73AF48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B887E174-57AB-449D-AEE4-82DD1A3E5C84\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E869C417-C0E6-4FC3-B406-45598A1D1906\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7231AF76-3D46-41C4-83E9-6E9E12940BD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD945A04-174C-46A2-935D-4F92631D1018\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9E97F04-00ED-48E9-AB40-7A02B3419641\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCCE5A11-39E7-4BBB-9E1A-BA4B754103BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5AEC7F5-C353-4CF5-96CE-8C713A2B0C92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB79BB43-E0AB-4F0D-A6EA-000485757EEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F238CB66-886D-47E8-8DC0-7FC2025771EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59B7B8AD-1210-4C40-8EF7-E2E8156630A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DE4A291-4358-42A9-A68D-E59D9998A1CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D19CF00-FE20-4690-AAB7-8E9DBC68A94F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A030A498-3361-46F8-BB99-24A66CAE11CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.0.3.23\",\"matchCriteriaId\":\"F6455EB1-C741-45E8-A53E-E7AD7A5D00EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0.1.0\",\"versionEndExcluding\":\"12.2.0.1.19\",\"matchCriteriaId\":\"BFD43191-E67F-4D1B-967B-3C7B20331945\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"13.9.4.0.0\",\"versionEndExcluding\":\"13.9.4.2.1\",\"matchCriteriaId\":\"062C588A-CBBA-470F-8D11-2F961922E927\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"989598A3-7012-4F57-B172-02404E20D16D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"042C243F-EDFE-4A04-AB0B-26E73CC34837\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"19.3.12\",\"matchCriteriaId\":\"63C59FA7-F321-4475-9F71-D78E0C890866\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:nosql_database:19.3.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E215743-2B5D-4EA5-A8F5-BBEC4DC85C35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.7\",\"versionEndIncluding\":\"17.12\",\"matchCriteriaId\":\"7A1E1023-2EB9-4334-9B74-CA71480F71C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"93A4E178-0082-45C5-BBC0-0A4E51C8B1DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F021C23-AB9B-4877-833F-D01359A98762\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F8ED016-32A1-42EE-844E-3E6B2C116B74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A046CC2C-445F-4336-8810-930570B4FEC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0745445C-EC43-4091-BA7C-5105AFCC6F1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.7\",\"versionEndIncluding\":\"17.12\",\"matchCriteriaId\":\"08FA59A8-6A62-4B33-8952-D6E658F8DAC9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D55A54FD-7DD1-49CD-BE81-0BE73990943C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82EB08C0-2D46-4635-88DF-E54F6452D3A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"202AD518-2E9B-4062-B063-9858AE1F9CE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7FBF5C7-EC73-4CE4-8CB7-E9CF5705DB25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"792DF04A-2D1B-40B5-B960-3E7152732EB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46525CA6-4226-4F6F-B899-D800D4DDE0B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9967AAFD-2199-4668-9105-207D4866B707\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_engineering_-_installer_\\\\\u0026_deployment:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"19.8\",\"matchCriteriaId\":\"25993ED6-D4C7-4B68-9F87-274B757A88CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"19.10\",\"matchCriteriaId\":\"2F10FB4D-A29B-42B4-B70E-EB82A93F2218\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6A4F71A-4269-40FC-8F61-1D1301F2B728\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5735E553-9731-4AAC-BCFF-989377F817B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDFB1169-41A0-4A86-8E4F-FDA9730B1E94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E94F7F59-1785-493F-91A7-5F5EA5E87E4D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.11\",\"versionEndExcluding\":\"3.11.153\",\"matchCriteriaId\":\"3A76E5BF-01E4-46E7-8E3B-5ACE75657360\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6\",\"versionEndExcluding\":\"4.6.26\",\"matchCriteriaId\":\"E9A6D103-9674-4B04-8397-86501F1D91CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DBCD38F-BBE8-488C-A8C3-5782F191D915\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.1\",\"versionEndExcluding\":\"4.1.18\",\"matchCriteriaId\":\"D2452F48-6A8B-4274-B0CE-F1256F400170\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106601\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHBA-2019:0959\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:0782\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:0877\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1782\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1797\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1822\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1823\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2804\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2858\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3002\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3140\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3149\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3892\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:4037\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/2097\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/May/68\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190530-0003/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4452\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/106601\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHBA-2019:0959\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:0782\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:0877\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1782\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1797\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1822\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:1823\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2804\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2858\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3002\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3149\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3892\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:4037\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/2097\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/May/68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190530-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2019/dsa-4452\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
GHSA-645P-88QH-W398
Vulnerability from github – Published: 2019-01-04 19:06 – Updated: 2023-09-14 14:00
VLAI
Summary
Arbitrary Code Execution in jackson-databind
Details
FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.11.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.9.4"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.6.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-14718"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:17:52Z",
"nvd_published_at": "2019-01-02T18:29:00Z",
"severity": "CRITICAL"
},
"details": "FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.",
"id": "GHSA-645p-88qh-w398",
"modified": "2023-09-14T14:00:55Z",
"published": "2019-01-04T19:06:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190530-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-645p-88qh-w398"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary Code Execution in jackson-databind"
}
GSD-2018-14718
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-14718",
"description": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.",
"id": "GSD-2018-14718",
"references": [
"https://www.suse.com/security/cve/CVE-2018-14718.html",
"https://www.debian.org/security/2019/dsa-4452",
"https://access.redhat.com/errata/RHSA-2021:1515",
"https://access.redhat.com/errata/RHSA-2021:1230",
"https://access.redhat.com/errata/RHSA-2020:2564",
"https://access.redhat.com/errata/RHSA-2019:4037",
"https://access.redhat.com/errata/RHSA-2019:3892",
"https://access.redhat.com/errata/RHSA-2019:3149",
"https://access.redhat.com/errata/RHSA-2019:3140",
"https://access.redhat.com/errata/RHSA-2019:3002",
"https://access.redhat.com/errata/RHSA-2019:2858",
"https://access.redhat.com/errata/RHSA-2019:2804",
"https://access.redhat.com/errata/RHSA-2019:1823",
"https://access.redhat.com/errata/RHSA-2019:1822",
"https://access.redhat.com/errata/RHSA-2019:1797",
"https://access.redhat.com/errata/RHSA-2019:1782",
"https://access.redhat.com/errata/RHSA-2019:0877",
"https://access.redhat.com/errata/RHSA-2019:0782",
"https://ubuntu.com/security/CVE-2018-14718"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-14718"
],
"details": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.",
"id": "GSD-2018-14718",
"modified": "2023-12-13T01:22:37.826489Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"name": "[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E"
},
{
"name": "RHSA-2019:0782",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"name": "106601",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106601"
},
{
"name": "RHSA-2019:0877",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"name": "RHBA-2019:0959",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"name": "DSA-4452",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"name": "RHSA-2019:1782",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"name": "RHSA-2019:1797",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"name": "RHSA-2019:1822",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"name": "RHSA-2019:1823",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"name": "RHSA-2019:2804",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"name": "RHSA-2019:2858",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3002",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"name": "RHSA-2019:3140",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "RHSA-2019:4037",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190530-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2097",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"name": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,2.6.7.2),[2.7.0,2.9.7)",
"affected_versions": "All versions before 2.6.7.2, all versions starting from 2.7.0 before 2.9.7",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2019-05-30",
"description": "FasterXML jackson-databind might allow remote attackers to execute arbitrary code by leveraging failure to block the `slf4j-ext` class from polymorphic deserialization.",
"fixed_versions": [
"2.6.7.2",
"2.9.7"
],
"identifier": "CVE-2018-14718",
"identifiers": [
"CVE-2018-14718"
],
"not_impacted": "All versions starting from 2.6.7.2 before 2.7.0, all versions starting from 2.9.7",
"package_slug": "maven/com.fasterxml.jackson.core/jackson-databind",
"pubdate": "2019-01-02",
"solution": "Upgrade to versions 2.6.7.2, 2.9.7 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"http://www.securityfocus.com/bid/106601"
],
"uuid": "73508662-4968-4c9f-9d28-4d023a05c568"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.7.9.5",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.8.11.3",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.9.7",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.6.7.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "17.12",
"versionStartIncluding": "17.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "17.12",
"versionStartIncluding": "17.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19.10",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "11.2.0.3.23",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "19.3.12",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.2.0.1.19",
"versionStartIncluding": "12.2.0.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.9.4.2.1",
"versionStartIncluding": "13.9.4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:siebel_engineering_-_installer_\\\u0026_deployment:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:nosql_database:19.3.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.6.26",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.11.153",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.18",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14718"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2097",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2097"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44"
},
{
"name": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E"
},
{
"name": "[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers...",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E"
},
{
"name": "RHSA-2019:0782",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"name": "106601",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106601"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "RHSA-2019:0877",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"name": "RHBA-2019:0959",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"name": "DSA-4452",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
"refsource": "BUGTRAQ",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190530-0003/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
},
{
"name": "RHSA-2019:1782",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"name": "RHSA-2019:1797",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"name": "RHSA-2019:1823",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"name": "RHSA-2019:1822",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"name": "RHSA-2019:2804",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"name": "RHSA-2019:2858",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3002",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "RHSA-2019:3140",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3149",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "RHSA-2019:4037",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "N/A",
"refsource": "N/A",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-09-13T14:22Z",
"publishedDate": "2019-01-02T18:29Z"
}
}
}
OPENSUSE-SU-2024:10868-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
jackson-databind-2.10.5.1-2.2 on GA media
Severity
Moderate
Notes
Title of the patch: jackson-databind-2.10.5.1-2.2 on GA media
Description of the patch: These are all security issues fixed in the jackson-databind-2.10.5.1-2.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10868
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
10 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.8 (Critical)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.8 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.3 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
59 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jackson-databind-2.10.5.1-2.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jackson-databind-2.10.5.1-2.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10868",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10868-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-11307 page",
"url": "https://www.suse.com/security/cve/CVE-2018-11307/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12022 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12022/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12023 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12023/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-14718 page",
"url": "https://www.suse.com/security/cve/CVE-2018-14718/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-14721 page",
"url": "https://www.suse.com/security/cve/CVE-2018-14721/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-19360 page",
"url": "https://www.suse.com/security/cve/CVE-2018-19360/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-19361 page",
"url": "https://www.suse.com/security/cve/CVE-2018-19361/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7489 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7489/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12086 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12086/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12384 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12384/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12814 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-14379 page",
"url": "https://www.suse.com/security/cve/CVE-2019-14379/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-14439 page",
"url": "https://www.suse.com/security/cve/CVE-2019-14439/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-14540 page",
"url": "https://www.suse.com/security/cve/CVE-2019-14540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-14893 page",
"url": "https://www.suse.com/security/cve/CVE-2019-14893/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16942 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16942/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17267 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17267/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17531 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17531/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-20330 page",
"url": "https://www.suse.com/security/cve/CVE-2019-20330/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25649 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25649/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-35728 page",
"url": "https://www.suse.com/security/cve/CVE-2020-35728/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-20190 page",
"url": "https://www.suse.com/security/cve/CVE-2021-20190/"
}
],
"title": "jackson-databind-2.10.5.1-2.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10868-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.10.5.1-2.2.aarch64",
"product": {
"name": "jackson-databind-2.10.5.1-2.2.aarch64",
"product_id": "jackson-databind-2.10.5.1-2.2.aarch64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"product": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"product_id": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.10.5.1-2.2.ppc64le",
"product": {
"name": "jackson-databind-2.10.5.1-2.2.ppc64le",
"product_id": "jackson-databind-2.10.5.1-2.2.ppc64le"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"product": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"product_id": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.10.5.1-2.2.s390x",
"product": {
"name": "jackson-databind-2.10.5.1-2.2.s390x",
"product_id": "jackson-databind-2.10.5.1-2.2.s390x"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"product": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"product_id": "jackson-databind-javadoc-2.10.5.1-2.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.10.5.1-2.2.x86_64",
"product": {
"name": "jackson-databind-2.10.5.1-2.2.x86_64",
"product_id": "jackson-databind-2.10.5.1-2.2.x86_64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
"product": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
"product_id": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.10.5.1-2.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64"
},
"product_reference": "jackson-databind-2.10.5.1-2.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.10.5.1-2.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le"
},
"product_reference": "jackson-databind-2.10.5.1-2.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.10.5.1-2.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x"
},
"product_reference": "jackson-databind-2.10.5.1-2.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.10.5.1-2.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64"
},
"product_reference": "jackson-databind-2.10.5.1-2.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64"
},
"product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le"
},
"product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x"
},
"product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
},
"product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-11307",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-11307"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-11307",
"url": "https://www.suse.com/security/cve/CVE-2018-11307"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-11307"
},
{
"cve": "CVE-2018-12022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12022"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12022",
"url": "https://www.suse.com/security/cve/CVE-2018-12022"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-12022"
},
{
"cve": "CVE-2018-12023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12023"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12023",
"url": "https://www.suse.com/security/cve/CVE-2018-12023"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-12023"
},
{
"cve": "CVE-2018-14718",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-14718"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-14718",
"url": "https://www.suse.com/security/cve/CVE-2018-14718"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-14718"
},
{
"cve": "CVE-2018-14721",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-14721"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-14721",
"url": "https://www.suse.com/security/cve/CVE-2018-14721"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-14721"
},
{
"cve": "CVE-2018-19360",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-19360"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-19360",
"url": "https://www.suse.com/security/cve/CVE-2018-19360"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-19360"
},
{
"cve": "CVE-2018-19361",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-19361"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-19361",
"url": "https://www.suse.com/security/cve/CVE-2018-19361"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-19361"
},
{
"cve": "CVE-2018-7489",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7489"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7489",
"url": "https://www.suse.com/security/cve/CVE-2018-7489"
},
{
"category": "external",
"summary": "SUSE Bug 1202327 for CVE-2018-7489",
"url": "https://bugzilla.suse.com/1202327"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2018-7489"
},
{
"cve": "CVE-2019-12086",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12086"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12086",
"url": "https://www.suse.com/security/cve/CVE-2019-12086"
},
{
"category": "external",
"summary": "SUSE Bug 1202327 for CVE-2019-12086",
"url": "https://bugzilla.suse.com/1202327"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-12086"
},
{
"cve": "CVE-2019-12384",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12384"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12384",
"url": "https://www.suse.com/security/cve/CVE-2019-12384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-12384"
},
{
"cve": "CVE-2019-12814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12814"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12814",
"url": "https://www.suse.com/security/cve/CVE-2019-12814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-12814"
},
{
"cve": "CVE-2019-14379",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-14379"
}
],
"notes": [
{
"category": "general",
"text": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-14379",
"url": "https://www.suse.com/security/cve/CVE-2019-14379"
},
{
"category": "external",
"summary": "SUSE Bug 1165035 for CVE-2019-14379",
"url": "https://bugzilla.suse.com/1165035"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2019-14379"
},
{
"cve": "CVE-2019-14439",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-14439"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-14439",
"url": "https://www.suse.com/security/cve/CVE-2019-14439"
},
{
"category": "external",
"summary": "SUSE Bug 1165034 for CVE-2019-14439",
"url": "https://bugzilla.suse.com/1165034"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-14439"
},
{
"cve": "CVE-2019-14540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-14540"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-14540",
"url": "https://www.suse.com/security/cve/CVE-2019-14540"
},
{
"category": "external",
"summary": "SUSE Bug 1165038 for CVE-2019-14540",
"url": "https://bugzilla.suse.com/1165038"
},
{
"category": "external",
"summary": "SUSE Bug 1165039 for CVE-2019-14540",
"url": "https://bugzilla.suse.com/1165039"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-14540"
},
{
"cve": "CVE-2019-14893",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-14893"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-14893",
"url": "https://www.suse.com/security/cve/CVE-2019-14893"
},
{
"category": "external",
"summary": "SUSE Bug 1157186 for CVE-2019-14893",
"url": "https://bugzilla.suse.com/1157186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2019-14893"
},
{
"cve": "CVE-2019-16942",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16942"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16942",
"url": "https://www.suse.com/security/cve/CVE-2019-16942"
},
{
"category": "external",
"summary": "SUSE Bug 1165041 for CVE-2019-16942",
"url": "https://bugzilla.suse.com/1165041"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2019-16942"
},
{
"cve": "CVE-2019-17267",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17267"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17267",
"url": "https://www.suse.com/security/cve/CVE-2019-17267"
},
{
"category": "external",
"summary": "SUSE Bug 1165044 for CVE-2019-17267",
"url": "https://bugzilla.suse.com/1165044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-17267"
},
{
"cve": "CVE-2019-17531",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17531"
}
],
"notes": [
{
"category": "general",
"text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17531",
"url": "https://www.suse.com/security/cve/CVE-2019-17531"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2019-17531"
},
{
"cve": "CVE-2019-20330",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-20330"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-20330",
"url": "https://www.suse.com/security/cve/CVE-2019-20330"
},
{
"category": "external",
"summary": "SUSE Bug 1160113 for CVE-2019-20330",
"url": "https://bugzilla.suse.com/1160113"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-20330"
},
{
"cve": "CVE-2020-25649",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25649"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25649",
"url": "https://www.suse.com/security/cve/CVE-2020-25649"
},
{
"category": "external",
"summary": "SUSE Bug 1177616 for CVE-2020-25649",
"url": "https://bugzilla.suse.com/1177616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-25649"
},
{
"cve": "CVE-2020-35728",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-35728"
}
],
"notes": [
{
"category": "general",
"text": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-35728",
"url": "https://www.suse.com/security/cve/CVE-2020-35728"
},
{
"category": "external",
"summary": "SUSE Bug 1180391 for CVE-2020-35728",
"url": "https://bugzilla.suse.com/1180391"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-35728"
},
{
"cve": "CVE-2021-20190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-20190"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-20190",
"url": "https://www.suse.com/security/cve/CVE-2021-20190"
},
{
"category": "external",
"summary": "SUSE Bug 1181118 for CVE-2021-20190",
"url": "https://bugzilla.suse.com/1181118"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-20190"
}
]
}
RHSA-2019:0782
Vulnerability from csaf_redhat - Published: 2019-04-17 21:03 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: rh-maven35-jackson-databind security update
Severity
Important
Notes
Topic: An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.
5.6 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
7.5 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
6.8 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
53 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.\n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:0782",
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_0782.json"
}
],
"title": "Red Hat Security Advisory: rh-maven35-jackson-databind security update",
"tracking": {
"current_release_date": "2026-05-14T22:24:23+00:00",
"generator": {
"date": "2026-05-14T22:24:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:0782",
"initial_release_date": "2019-04-17T21:03:00+00:00",
"revision_history": [
{
"date": "2019-04-17T21:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-04-17T21:03:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-Alt-RHSCL-3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.2-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.2-7.5.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6)",
"product_id": "7Server-RHSCL-3.2-7.6.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"product": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"product_id": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven35-jackson-databind-javadoc@2.7.6-2.5.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"product": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"product_id": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven35-jackson-databind@2.7.6-2.5.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"product": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"product_id": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven35-jackson-databind@2.7.6-2.5.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-Alt-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Server-Alt-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-Alt-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6)",
"product_id": "7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6)",
"product_id": "7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6)",
"product_id": "7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2-7.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src"
},
"product_reference": "rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
},
"product_reference": "rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-11307",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1677341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load MyBatis classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes.\n\nRed Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-11307"
},
{
"category": "external",
"summary": "RHBZ#1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307"
}
],
"release_date": "2018-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-14720",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666423"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: exfiltration/XXE in some JDK classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.\n\nRed Hat Enterprise Virtualization 4 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14720"
},
{
"category": "external",
"summary": "RHBZ#1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14720",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"category": "workaround",
"details": "The following conditions are needed for an exploit, we recommend avoiding all if possible \n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: exfiltration/XXE in some JDK classes"
},
{
"cve": "CVE-2018-14721",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666428"
}
],
"notes": [
{
"category": "description",
"text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle axis2-jaxws jar.\n\nRed Hat Virtualization is not affected by this issue, since its does not bundle axis2-jaxws jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14721"
},
{
"category": "external",
"summary": "RHBZ#1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14721"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-17T21:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-Alt-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.4.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.5.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2-7.6.Z:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Server-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.noarch",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-0:2.7.6-2.5.el7.src",
"7Workstation-RHSCL-3.2:rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
}
]
}
RHSA-2019:0877
Vulnerability from csaf_redhat - Published: 2019-04-24 18:46 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat OpenShift Application Runtimes Thorntail 2.4.0 security & bug fix update
Severity
Important
Notes
Topic: An update is now available for Red Hat OpenShift Application Runtimes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of RHOAR Thorntail 2.4.0 serves as a replacement for RHOAR Thorntail 2.2.0, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067)
* keycloak: auth permitted with expired certs in SAML client (CVE-2018-10894)
* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
* keycloak: infinite loop in session replacement leading to denial of service (CVE-2018-10912)
* wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was found that the explode function of the deployment utility in jboss-cli and console that allows extraction of files from an archive does not perform necessary validation for directory traversal. This can lead to remote code execution.
7.6 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
4.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.
4.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only RHOAR
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
78 references
Acknowledgments
Deloitte Thailand Pentest team
Ammarit Thongthua
Nattakit Intarasorn
Red Hat
Benjamin Berg
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift Application Runtimes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of RHOAR Thorntail 2.4.0 serves as a replacement for RHOAR Thorntail 2.2.0, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067)\n\n* keycloak: auth permitted with expired certs in SAML client (CVE-2018-10894)\n\n* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)\n\n* keycloak: infinite loop in session replacement leading to denial of service (CVE-2018-10912)\n\n* wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:0877",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.thorntail\u0026version=2.4.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.thorntail\u0026version=2.4.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/rhoar_thorntail_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/rhoar_thorntail_release_notes/"
},
{
"category": "external",
"summary": "1550671",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1550671"
},
{
"category": "external",
"summary": "1573045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1573045"
},
{
"category": "external",
"summary": "1588306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588306"
},
{
"category": "external",
"summary": "1593527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593527"
},
{
"category": "external",
"summary": "1599434",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599434"
},
{
"category": "external",
"summary": "1607624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607624"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_0877.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Application Runtimes Thorntail 2.4.0 security \u0026 bug fix update",
"tracking": {
"current_release_date": "2026-05-14T22:24:23+00:00",
"generator": {
"date": "2026-05-14T22:24:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:0877",
"initial_release_date": "2019-04-24T18:46:31+00:00",
"revision_history": [
{
"date": "2019-04-24T18:46:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-04-24T18:46:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Text-Only RHOAR",
"product": {
"name": "Text-Only RHOAR",
"product_id": "Text-Only RHOAR",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Application Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ammarit Thongthua",
"Nattakit Intarasorn"
],
"organization": "Deloitte Thailand Pentest team"
}
],
"cve": "CVE-2018-1067",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2018-03-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1550671"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1067"
},
{
"category": "external",
"summary": "RHBZ#1550671",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1550671"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1067",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1067"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1067",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1067"
}
],
"release_date": "2018-04-25T17:51:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)"
},
{
"cve": "CVE-2018-1114",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-04-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1573045"
}
],
"notes": [
{
"category": "description",
"text": "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1114"
},
{
"category": "external",
"summary": "RHBZ#1573045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1573045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1114",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1114"
},
{
"category": "external",
"summary": "https://bugs.openjdk.java.net/browse/JDK-6956385",
"url": "https://bugs.openjdk.java.net/browse/JDK-6956385"
},
{
"category": "external",
"summary": "https://issues.jboss.org/browse/UNDERTOW-1338",
"url": "https://issues.jboss.org/browse/UNDERTOW-1338"
}
],
"release_date": "2018-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service"
},
{
"cve": "CVE-2018-10862",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593527"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the explode function of the deployment utility in jboss-cli and console that allows extraction of files from an archive does not perform necessary validation for directory traversal. This can lead to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability can only be exploited by users with deployment permissions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10862"
},
{
"category": "external",
"summary": "RHBZ#1593527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593527"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10862",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10862"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10862",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10862"
},
{
"category": "external",
"summary": "https://snyk.io/research/zip-slip-vulnerability",
"url": "https://snyk.io/research/zip-slip-vulnerability"
}
],
"release_date": "2018-06-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)"
},
{
"acknowledgments": [
{
"names": [
"Benjamin Berg"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2018-10894",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"discovery_date": "2018-05-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1599434"
}
],
"notes": [
{
"category": "description",
"text": "It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: auth permitted with expired certs in SAML client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10894"
},
{
"category": "external",
"summary": "RHBZ#1599434",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599434"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10894",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10894"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10894",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10894"
}
],
"release_date": "2018-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: auth permitted with expired certs in SAML client"
},
{
"cve": "CVE-2018-10912",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2018-05-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1607624"
}
],
"notes": [
{
"category": "description",
"text": "keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: infinite loop in session replacement leading to denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10912"
},
{
"category": "external",
"summary": "RHBZ#1607624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10912",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10912"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10912",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10912"
}
],
"release_date": "2018-05-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: infinite loop in session replacement leading to denial of service"
},
{
"cve": "CVE-2018-11307",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1677341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load MyBatis classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes.\n\nRed Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-11307"
},
{
"category": "external",
"summary": "RHBZ#1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307"
}
],
"release_date": "2018-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
},
{
"cve": "CVE-2018-1000180",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588306"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: flaw in the low-level interface to RSA key pair generator",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Satellite 6.5 isn\u0027t vulnerable to this issue, since it doesn\u0027t ship bouncycastle jar file anymore.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only RHOAR"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1000180"
},
{
"category": "external",
"summary": "RHBZ#1588306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588306"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000180",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180"
}
],
"release_date": "2018-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-04-24T18:46:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Text-Only RHOAR"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Text-Only RHOAR"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: flaw in the low-level interface to RSA key pair generator"
}
]
}
RHSA-2019:1782
Vulnerability from csaf_redhat - Published: 2019-07-15 19:18 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.12 security update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.11 serves as a replacement for Red Hat JBoss BRMS 6.4.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in jboss-common core (CVE-2018-19362)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 6.4.12
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
46 references
Acknowledgments
0c0c0f from 360观星实验室
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.11 serves as a replacement for Red Hat JBoss BRMS 6.4.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common core (CVE-2018-19362)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1782",
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhdm\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhdm\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_brms/6.4/html/6.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_brms/6.4/html/6.4_release_notes/index"
},
{
"category": "external",
"summary": "1528565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1528565"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1782.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.12 security update",
"tracking": {
"current_release_date": "2026-05-14T22:24:28+00:00",
"generator": {
"date": "2026-05-14T22:24:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:1782",
"initial_release_date": "2019-07-15T19:18:30+00:00",
"revision_history": [
{
"date": "2019-07-15T19:18:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-15T19:18:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.4.12",
"product": {
"name": "Red Hat JBoss BRMS 6.4.12",
"product_id": "Red Hat JBoss BRMS 6.4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"0c0c0f from 360\u89c2\u661f\u5b9e\u9a8c\u5ba4"
]
}
],
"cve": "CVE-2017-17485",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-12-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1528565"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-17485"
},
{
"category": "external",
"summary": "RHBZ#1528565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1528565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-17485",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17485"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/3442891",
"url": "https://access.redhat.com/solutions/3442891"
}
],
"release_date": "2017-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-15T19:18:30+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
}
]
}
RHSA-2019:1797
Vulnerability from csaf_redhat - Published: 2019-07-16 16:21 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.12 security update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in jboss-common-core (CVE-2018-19362)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 6.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:6.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
46 references
Acknowledgments
0c0c0f from 360观星实验室
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core (CVE-2018-19362)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1797",
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/6.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/6.4/"
},
{
"category": "external",
"summary": "1528565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1528565"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1797.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.12 security update",
"tracking": {
"current_release_date": "2026-05-14T22:24:24+00:00",
"generator": {
"date": "2026-05-14T22:24:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:1797",
"initial_release_date": "2019-07-16T16:21:36+00:00",
"revision_history": [
{
"date": "2019-07-16T16:21:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-16T16:21:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.4",
"product": {
"name": "Red Hat JBoss BPMS 6.4",
"product_id": "Red Hat JBoss BPMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"0c0c0f from 360\u89c2\u661f\u5b9e\u9a8c\u5ba4"
]
}
],
"cve": "CVE-2017-17485",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-12-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1528565"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-17485"
},
{
"category": "external",
"summary": "RHBZ#1528565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1528565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-17485",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17485"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/3442891",
"url": "https://access.redhat.com/solutions/3442891"
}
],
"release_date": "2017-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-16T16:21:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
}
]
}
RHSA-2019:1822
Vulnerability from csaf_redhat - Published: 2019-07-22 14:53 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat Decision Manager 7.4.0 Security Update
Severity
Important
Notes
Topic: An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
This release of Red Hat Decision Manager 7.4.0 serves as an update to Red Hat Decision Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BRMS 7.4
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
61 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model \u0026 Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.4.0 serves as an update to Red Hat Decision Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)\n\n* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1822",
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhdm\u0026version=7.4.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhdm\u0026version=7.4.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.4/html/release_notes_for_red_hat_decision_manager_7.4/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.4/html/release_notes_for_red_hat_decision_manager_7.4/index"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "1722971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1722971"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1822.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Decision Manager 7.4.0 Security Update",
"tracking": {
"current_release_date": "2026-05-14T22:24:25+00:00",
"generator": {
"date": "2026-05-14T22:24:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:1822",
"initial_release_date": "2019-07-22T14:53:31+00:00",
"revision_history": [
{
"date": "2019-07-22T14:53:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-22T14:53:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 7.4",
"product": {
"name": "Red Hat JBoss BRMS 7.4",
"product_id": "Red Hat JBoss BRMS 7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-11307",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1677341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load MyBatis classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes.\n\nRed Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-11307"
},
{
"category": "external",
"summary": "RHBZ#1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307"
}
],
"release_date": "2018-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-14720",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666423"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: exfiltration/XXE in some JDK classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.\n\nRed Hat Enterprise Virtualization 4 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14720"
},
{
"category": "external",
"summary": "RHBZ#1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14720",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"category": "workaround",
"details": "The following conditions are needed for an exploit, we recommend avoiding all if possible \n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: exfiltration/XXE in some JDK classes"
},
{
"cve": "CVE-2018-14721",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666428"
}
],
"notes": [
{
"category": "description",
"text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle axis2-jaxws jar.\n\nRed Hat Virtualization is not affected by this issue, since its does not bundle axis2-jaxws jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14721"
},
{
"category": "external",
"summary": "RHBZ#1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14721"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
},
{
"cve": "CVE-2019-10173",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2019-06-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1722971"
}
],
"notes": [
{
"category": "description",
"text": "It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10173"
},
{
"category": "external",
"summary": "RHBZ#1722971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1722971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10173",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10173"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10173",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10173"
},
{
"category": "external",
"summary": "http://x-stream.github.io/changes.html#1.4.11",
"url": "http://x-stream.github.io/changes.html#1.4.11"
}
],
"release_date": "2018-10-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:31+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)"
}
]
}
RHSA-2019:1823
Vulnerability from csaf_redhat - Published: 2019-07-22 14:53 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.4.0 Security Update
Severity
Important
Notes
Topic: An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release of Red Hat Process Automation Manager 7.4.0 serves as an update to Red Hat Process Automation Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss BPMS 7.4
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_bpms:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
61 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.4.0 serves as an update to Red Hat Process Automation Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n\n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)\n\n* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173, regression of CVE-2013-7285)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1823",
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhpam\u0026version=7.4.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhpam\u0026version=7.4.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.4/html/release_notes_for_red_hat_process_automation_manager_7.4/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.4/html/release_notes_for_red_hat_process_automation_manager_7.4/index"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "1722971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1722971"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1823.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.4.0 Security Update",
"tracking": {
"current_release_date": "2026-05-14T22:24:25+00:00",
"generator": {
"date": "2026-05-14T22:24:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:1823",
"initial_release_date": "2019-07-22T14:53:17+00:00",
"revision_history": [
{
"date": "2019-07-22T14:53:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-07-22T14:53:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 7.4",
"product": {
"name": "Red Hat JBoss BPMS 7.4",
"product_id": "Red Hat JBoss BPMS 7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:7.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-11307",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1677341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load MyBatis classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes.\n\nRed Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-11307"
},
{
"category": "external",
"summary": "RHBZ#1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307"
}
],
"release_date": "2018-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-14720",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666423"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: exfiltration/XXE in some JDK classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.\n\nRed Hat Enterprise Virtualization 4 is not affected by this issue, since its only supported Java runtime (openJDK) doesn\u0027t bundle the com.sun.deploy.security.ruleset.DRSHelper class.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14720"
},
{
"category": "external",
"summary": "RHBZ#1666423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14720",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"category": "workaround",
"details": "The following conditions are needed for an exploit, we recommend avoiding all if possible \n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: exfiltration/XXE in some JDK classes"
},
{
"cve": "CVE-2018-14721",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666428"
}
],
"notes": [
{
"category": "description",
"text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle axis2-jaxws jar.\n\nRed Hat Virtualization is not affected by this issue, since its does not bundle axis2-jaxws jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14721"
},
{
"category": "external",
"summary": "RHBZ#1666428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14721"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
},
{
"cve": "CVE-2019-10173",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2019-06-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1722971"
}
],
"notes": [
{
"category": "description",
"text": "It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 7.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10173"
},
{
"category": "external",
"summary": "RHBZ#1722971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1722971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10173",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10173"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10173",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10173"
},
{
"category": "external",
"summary": "http://x-stream.github.io/changes.html#1.4.11",
"url": "http://x-stream.github.io/changes.html#1.4.11"
}
],
"release_date": "2018-10-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-07-22T14:53:17+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 7.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 7.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)"
}
]
}
RHSA-2019:2804
Vulnerability from csaf_redhat - Published: 2019-09-17 13:45 - Updated: 2026-05-14 22:24Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R13 security and bug fix update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.
Security fix(es):
* jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 6.3
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:6.3
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
55 references
Acknowledgments
Martin Bajanik
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity fix(es):\n\n* jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)\n\n* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)\n\n* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)\n\n* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)\n \n* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)\n\n* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)\n\n* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2804",
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3"
},
{
"category": "external",
"summary": "1601037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601037"
},
{
"category": "external",
"summary": "1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2804.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R13 security and bug fix update",
"tracking": {
"current_release_date": "2026-05-14T22:24:25+00:00",
"generator": {
"date": "2026-05-14T22:24:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2019:2804",
"initial_release_date": "2019-09-17T13:45:21+00:00",
"revision_history": [
{
"date": "2019-09-17T13:45:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-09-17T13:45:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:24:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Fuse 6.3",
"product": {
"name": "Red Hat Fuse 6.3",
"product_id": "Red Hat Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Bajanik"
]
}
],
"cve": "CVE-2018-10899",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jolokia: system-wide CSRF that could lead to Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat OpenStack Platform, jolokia is not enabled by default and, when enabled, the jolokia endpoints do not rely on CORS for security. Therefore, the impact has been reduced to Low and no updates will be provided at this time for the RHOSP jolokia package.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10899"
},
{
"category": "external",
"summary": "RHBZ#1601037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10899",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10899"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10899",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10899"
},
{
"category": "external",
"summary": "https://jolokia.org/#Minor_updates_coming_with_1.6.1",
"url": "https://jolokia.org/#Minor_updates_coming_with_1.6.1"
}
],
"release_date": "2019-06-11T10:41:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jolokia: system-wide CSRF that could lead to Remote Code Execution"
},
{
"cve": "CVE-2018-11307",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1677341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load MyBatis classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes.\n\nRed Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-11307"
},
{
"category": "external",
"summary": "RHBZ#1677341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1677341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307"
}
],
"release_date": "2018-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis"
},
{
"cve": "CVE-2018-12022",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671097"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Jodd classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12022"
},
{
"category": "external",
"summary": "RHBZ#1671097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Jodd-db library"
},
{
"cve": "CVE-2018-12023",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1671096"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since Candlepin\u0027s java runtime environment does not load Oracle\u0027s JDBC classes.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not load Oracle\u0027s JDBC classes.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12023"
},
{
"category": "external",
"summary": "RHBZ#1671096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12023",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
}
],
"release_date": "2018-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver"
},
{
"cve": "CVE-2018-14718",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666415"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in slf4j-ext class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability.\n\nRed Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle slf4j-ext jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14718"
},
{
"category": "external",
"summary": "RHBZ#1666415",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666415"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in slf4j-ext class"
},
{
"cve": "CVE-2018-14719",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability:\nRed Hat Satellite 6\nRed Hat Enterprise Virtualization 4\nRed Hat Fuse 6, 7, and Fuse Integration Services 2\nRed Hat A-MQ 6",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14719"
},
{
"category": "external",
"summary": "RHBZ#1666418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719"
}
],
"release_date": "2018-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes"
},
{
"cve": "CVE-2018-19360",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t include axis2-transport-jms jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since it does not include axis2-transport-jms jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19360"
},
{
"category": "external",
"summary": "RHBZ#1666482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19360",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19360"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in axis2-transport-jms class"
},
{
"cve": "CVE-2018-19361",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in openjpa class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle openjpa jar.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19361"
},
{
"category": "external",
"summary": "RHBZ#1666484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19361",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19361"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in openjpa class"
},
{
"cve": "CVE-2018-19362",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-01-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1666489"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: improper polymorphic deserialization in jboss-common-core class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.\n\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn\u0027t bundle jboss-common-core jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-19362"
},
{
"category": "external",
"summary": "RHBZ#1666489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362"
}
],
"release_date": "2018-11-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: improper polymorphic deserialization in jboss-common-core class"
},
{
"cve": "CVE-2019-12814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2019-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1725795"
}
],
"notes": [
{
"category": "description",
"text": "A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* Red Hat Satellite 6 does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability. \n* Red Hat OpenStack\u0027s OpenDaylight does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-12814"
},
{
"category": "external",
"summary": "RHBZ#1725795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-12814",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12814"
}
],
"release_date": "2019-06-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-09-17T13:45:21+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"category": "workaround",
"details": "This vulnerability relies on jdom (org.jdom) or jdom2 (org.jdom2) being present in the application\u0027s ClassPath. Applications using jackson-databind that do not also use jdom or jdom2 are not impacted by this vulnerability.",
"product_ids": [
"Red Hat Fuse 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message."
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…