CVE-2018-7489
Vulnerability from cvelistv5
Published
2018-02-26 15:00
Modified
2024-08-05 06:31
Severity ?
Summary
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
References
cve@mitre.orghttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch
cve@mitre.orghttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch
cve@mitre.orghttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch
cve@mitre.orghttp://www.securityfocus.com/bid/103203Third Party Advisory, VDB Entry
cve@mitre.orghttp://www.securitytracker.com/id/1040693Third Party Advisory, VDB Entry
cve@mitre.orghttp://www.securitytracker.com/id/1041890Third Party Advisory, VDB Entry
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1448Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1451Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1786Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:2088Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:2089Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:2090Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:2938Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:2939Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2858
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3149
cve@mitre.orghttps://github.com/FasterXML/jackson-databind/issues/1931Third Party Advisory
cve@mitre.orghttps://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20180328-0001/Third Party Advisory
cve@mitre.orghttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_usThird Party Advisory
cve@mitre.orghttps://www.debian.org/security/2018/dsa-4190Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuoct2020.html
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch
Impacted products
n/an/a
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:31:03.738Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "103203",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103203"
          },
          {
            "name": "RHSA-2018:1448",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1448"
          },
          {
            "name": "RHSA-2018:1449",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1449"
          },
          {
            "name": "RHSA-2018:2938",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2938"
          },
          {
            "name": "RHSA-2018:1450",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1450"
          },
          {
            "name": "RHSA-2018:2090",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2090"
          },
          {
            "name": "RHSA-2018:2939",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2939"
          },
          {
            "name": "1041890",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041890"
          },
          {
            "name": "1040693",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040693"
          },
          {
            "name": "RHSA-2018:1786",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1786"
          },
          {
            "name": "RHSA-2018:1451",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1451"
          },
          {
            "name": "DSA-4190",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4190"
          },
          {
            "name": "RHSA-2018:1447",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1447"
          },
          {
            "name": "RHSA-2018:2088",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2088"
          },
          {
            "name": "RHSA-2018:2089",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2089"
          },
          {
            "name": "RHSA-2019:2858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "RHSA-2019:3149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
          },
          {
            "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-02-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-25T00:06:15",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "103203",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103203"
        },
        {
          "name": "RHSA-2018:1448",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1448"
        },
        {
          "name": "RHSA-2018:1449",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1449"
        },
        {
          "name": "RHSA-2018:2938",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2938"
        },
        {
          "name": "RHSA-2018:1450",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1450"
        },
        {
          "name": "RHSA-2018:2090",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2090"
        },
        {
          "name": "RHSA-2018:2939",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2939"
        },
        {
          "name": "1041890",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041890"
        },
        {
          "name": "1040693",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040693"
        },
        {
          "name": "RHSA-2018:1786",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1786"
        },
        {
          "name": "RHSA-2018:1451",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1451"
        },
        {
          "name": "DSA-4190",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4190"
        },
        {
          "name": "RHSA-2018:1447",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1447"
        },
        {
          "name": "RHSA-2018:2088",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2088"
        },
        {
          "name": "RHSA-2018:2089",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2089"
        },
        {
          "name": "RHSA-2019:2858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2858"
        },
        {
          "name": "RHSA-2019:3149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3149"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
        },
        {
          "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-7489",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "103203",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103203"
            },
            {
              "name": "RHSA-2018:1448",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1448"
            },
            {
              "name": "RHSA-2018:1449",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1449"
            },
            {
              "name": "RHSA-2018:2938",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2938"
            },
            {
              "name": "RHSA-2018:1450",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1450"
            },
            {
              "name": "RHSA-2018:2090",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2090"
            },
            {
              "name": "RHSA-2018:2939",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2939"
            },
            {
              "name": "1041890",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041890"
            },
            {
              "name": "1040693",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040693"
            },
            {
              "name": "RHSA-2018:1786",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1786"
            },
            {
              "name": "RHSA-2018:1451",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1451"
            },
            {
              "name": "DSA-4190",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4190"
            },
            {
              "name": "RHSA-2018:1447",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1447"
            },
            {
              "name": "RHSA-2018:2088",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2088"
            },
            {
              "name": "RHSA-2018:2089",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2089"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180328-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/1931",
              "refsource": "CONFIRM",
              "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
            },
            {
              "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-7489",
    "datePublished": "2018-02-26T15:00:00",
    "dateReserved": "2018-02-26T00:00:00",
    "dateUpdated": "2024-08-05T06:31:03.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-7489\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-02-26T15:29:00.417\",\"lastModified\":\"2023-11-07T03:01:02.513\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\"},{\"lang\":\"es\",\"value\":\"FasterXML jackson-databind, en versiones anteriores a la 2.7.9.3, versiones 2.8.x anteriores a la 2.8.11.1 y las versiones 2.9.x anteriores a la 2.9.5, permite la ejecuci\u00f3n remota de c\u00f3digo sin autenticar debido a una soluci\u00f3n incompleta para el error de deserializaci\u00f3n CVE-2017-7525. Esto puede explotarse mediante el env\u00edo de entradas JSON maliciosamente manipuladas al m\u00e9todo readValue de ObjectMapper, omitiendo una lista negra no efectiva si las librer\u00edas c3p0 est\u00e1n disponibles en la classpath.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.9.3\",\"matchCriteriaId\":\"2EC8E14E-7532-4721-9D8B-7A51F72541CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.11.1\",\"matchCriteriaId\":\"53CC2248-EC84-4B3E-B5F3-E691C81377C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndExcluding\":\"2.9.5\",\"matchCriteriaId\":\"C8E95FD1-112C-4BBA-B1C5-BBE204B59C62\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7231AF76-3D46-41C4-83E9-6E9E12940BD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"622B95F1-8FA4-4AA6-9B68-5FE4302BA150\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07740FE5-11D9-4562-9C38-2363718A5ECE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60ADCB1D-CCD4-4680-8589-20AA1E385234\"}]}]}],\"references\":[{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securityfocus.com/bid/103203\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1040693\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041890\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1447\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1448\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1449\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1450\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1451\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1786\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2088\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2089\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2090\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2938\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2939\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2858\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3149\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/1931\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180328-0001/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4190\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.