Vulnerability-Lookup

CVE-2018-7489 (GCVE-0-2018-7489)

Vulnerability from cvelistv5 – Published: 2018-02-26 15:00 – Updated: 2024-08-05 06:31

Summary

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

28 references

URL	Tags
http://www.securityfocus.com/bid/103203	vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2018:1448	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1449	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2938	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1450	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2090	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2939	vendor-advisoryx_refsource_REDHAT
http://www.securitytracker.com/id/1041890	vdb-entryx_refsource_SECTRACK
http://www.securitytracker.com/id/1040693	vdb-entryx_refsource_SECTRACK
https://access.redhat.com/errata/RHSA-2018:1786	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1451	vendor-advisoryx_refsource_REDHAT
https://www.debian.org/security/2018/dsa-4190	vendor-advisoryx_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2018:1447	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2088	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2089	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2858	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3149	vendor-advisoryx_refsource_REDHAT
http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advis…	x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advis…	x_refsource_MISC
https://www.oracle.com/technetwork/security-advis…	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
https://support.hpe.com/hpsc/doc/public/display?d…	x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-2018032…	x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/iss…	x_refsource_CONFIRM
https://lists.apache.org/thread.html/r1d4a247329a…	mailing-listx_refsource_MLIST

Date Public

2018-02-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:31:03.738Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "103203",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103203"
          },
          {
            "name": "RHSA-2018:1448",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1448"
          },
          {
            "name": "RHSA-2018:1449",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1449"
          },
          {
            "name": "RHSA-2018:2938",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2938"
          },
          {
            "name": "RHSA-2018:1450",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1450"
          },
          {
            "name": "RHSA-2018:2090",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2090"
          },
          {
            "name": "RHSA-2018:2939",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2939"
          },
          {
            "name": "1041890",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041890"
          },
          {
            "name": "1040693",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040693"
          },
          {
            "name": "RHSA-2018:1786",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1786"
          },
          {
            "name": "RHSA-2018:1451",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1451"
          },
          {
            "name": "DSA-4190",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4190"
          },
          {
            "name": "RHSA-2018:1447",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1447"
          },
          {
            "name": "RHSA-2018:2088",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2088"
          },
          {
            "name": "RHSA-2018:2089",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2089"
          },
          {
            "name": "RHSA-2019:2858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "RHSA-2019:3149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
          },
          {
            "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-02-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-25T00:06:15.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "103203",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103203"
        },
        {
          "name": "RHSA-2018:1448",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1448"
        },
        {
          "name": "RHSA-2018:1449",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1449"
        },
        {
          "name": "RHSA-2018:2938",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2938"
        },
        {
          "name": "RHSA-2018:1450",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1450"
        },
        {
          "name": "RHSA-2018:2090",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2090"
        },
        {
          "name": "RHSA-2018:2939",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2939"
        },
        {
          "name": "1041890",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041890"
        },
        {
          "name": "1040693",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040693"
        },
        {
          "name": "RHSA-2018:1786",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1786"
        },
        {
          "name": "RHSA-2018:1451",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1451"
        },
        {
          "name": "DSA-4190",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4190"
        },
        {
          "name": "RHSA-2018:1447",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1447"
        },
        {
          "name": "RHSA-2018:2088",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2088"
        },
        {
          "name": "RHSA-2018:2089",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2089"
        },
        {
          "name": "RHSA-2019:2858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2858"
        },
        {
          "name": "RHSA-2019:3149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3149"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
        },
        {
          "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-7489",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "103203",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103203"
            },
            {
              "name": "RHSA-2018:1448",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1448"
            },
            {
              "name": "RHSA-2018:1449",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1449"
            },
            {
              "name": "RHSA-2018:2938",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2938"
            },
            {
              "name": "RHSA-2018:1450",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1450"
            },
            {
              "name": "RHSA-2018:2090",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2090"
            },
            {
              "name": "RHSA-2018:2939",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2939"
            },
            {
              "name": "1041890",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041890"
            },
            {
              "name": "1040693",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040693"
            },
            {
              "name": "RHSA-2018:1786",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1786"
            },
            {
              "name": "RHSA-2018:1451",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1451"
            },
            {
              "name": "DSA-4190",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4190"
            },
            {
              "name": "RHSA-2018:1447",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1447"
            },
            {
              "name": "RHSA-2018:2088",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2088"
            },
            {
              "name": "RHSA-2018:2089",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2089"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180328-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/1931",
              "refsource": "CONFIRM",
              "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
            },
            {
              "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-7489",
    "datePublished": "2018-02-26T15:00:00.000Z",
    "dateReserved": "2018-02-26T00:00:00.000Z",
    "dateUpdated": "2024-08-05T06:31:03.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-7489",
      "date": "2026-05-27",
      "epss": "0.36207",
      "percentile": "0.9717"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.7.9.3\", \"matchCriteriaId\": \"2EC8E14E-7532-4721-9D8B-7A51F72541CA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.8.0\", \"versionEndExcluding\": \"2.8.11.1\", \"matchCriteriaId\": \"53CC2248-EC84-4B3E-B5F3-E691C81377C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.9.0\", \"versionEndExcluding\": \"2.9.5\", \"matchCriteriaId\": \"C8E95FD1-112C-4BBA-B1C5-BBE204B59C62\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7231AF76-3D46-41C4-83E9-6E9E12940BD9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"622B95F1-8FA4-4AA6-9B68-5FE4302BA150\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07740FE5-11D9-4562-9C38-2363718A5ECE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"60ADCB1D-CCD4-4680-8589-20AA1E385234\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\"}, {\"lang\": \"es\", \"value\": \"FasterXML jackson-databind, en versiones anteriores a la 2.7.9.3, versiones 2.8.x anteriores a la 2.8.11.1 y las versiones 2.9.x anteriores a la 2.9.5, permite la ejecuci\\u00f3n remota de c\\u00f3digo sin autenticar debido a una soluci\\u00f3n incompleta para el error de deserializaci\\u00f3n CVE-2017-7525. Esto puede explotarse mediante el env\\u00edo de entradas JSON maliciosamente manipuladas al m\\u00e9todo readValue de ObjectMapper, omitiendo una lista negra no efectiva si las librer\\u00edas c3p0 est\\u00e1n disponibles en la classpath.\"}]",
      "id": "CVE-2018-7489",
      "lastModified": "2024-11-21T04:12:13.653",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-02-26T15:29:00.417",
      "references": "[{\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.securityfocus.com/bid/103203\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1040693\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1041890\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1786\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2088\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2089\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2090\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2938\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/1931\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180328-0001/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4190\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.securityfocus.com/bid/103203\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1040693\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1041890\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:1786\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2088\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2089\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2090\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2938\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/1931\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180328-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4190\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-184\"}, {\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-7489\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-02-26T15:29:00.417\",\"lastModified\":\"2024-11-21T04:12:13.653\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\"},{\"lang\":\"es\",\"value\":\"FasterXML jackson-databind, en versiones anteriores a la 2.7.9.3, versiones 2.8.x anteriores a la 2.8.11.1 y las versiones 2.9.x anteriores a la 2.9.5, permite la ejecuci\u00f3n remota de c\u00f3digo sin autenticar debido a una soluci\u00f3n incompleta para el error de deserializaci\u00f3n CVE-2017-7525. Esto puede explotarse mediante el env\u00edo de entradas JSON maliciosamente manipuladas al m\u00e9todo readValue de ObjectMapper, omitiendo una lista negra no efectiva si las librer\u00edas c3p0 est\u00e1n disponibles en la classpath.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.9.3\",\"matchCriteriaId\":\"2EC8E14E-7532-4721-9D8B-7A51F72541CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.11.1\",\"matchCriteriaId\":\"53CC2248-EC84-4B3E-B5F3-E691C81377C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndExcluding\":\"2.9.5\",\"matchCriteriaId\":\"C8E95FD1-112C-4BBA-B1C5-BBE204B59C62\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7231AF76-3D46-41C4-83E9-6E9E12940BD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"622B95F1-8FA4-4AA6-9B68-5FE4302BA150\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07740FE5-11D9-4562-9C38-2363718A5ECE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60ADCB1D-CCD4-4680-8589-20AA1E385234\"}]}]}],\"references\":[{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securityfocus.com/bid/103203\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1040693\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041890\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1447\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1448\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1449\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1450\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1451\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1786\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2088\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2089\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2090\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2938\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2939\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2858\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3149\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/1931\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180328-0001/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4190\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securityfocus.com/bid/103203\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1040693\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041890\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1447\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1448\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1449\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1450\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1451\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:1786\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2088\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2089\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2090\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2938\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2939\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2858\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:3149\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/1931\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180328-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4190\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}

CERTFR-2026-AVI-0556

Vulnerability from certfr_avis - Published: 2026-05-11 - Updated: 2026-05-11

De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 31.3.x antérieures à 3.13.15
VMware	Tanzu Greenplum	Tanzu Greenplum Streaming Server For Kubernetes versions antérieures à 1.3.0
VMware	Tanzu	Tanzu Data Flow on Kubernetes versions antérieures à 2.1.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.0.x antérieures à 4.0.20
VMware	Tanzu Greenplum	Tanzu Greenplum Backup and Restore versions antérieures à1.33.0
VMware	Tanzu Greenplum	Tanzu Greenplum Data Copy Utility versions antérieures à 2.9.3
VMware	Tanzu	Tanzu for Valkey on Kubernetes versions antérieures à 3.3.4
VMware	Tanzu Greenplum	Tanzu Greenplum Command Center versions 6.17.x antérieures à 6.17.0
VMware	Tanzu Greenplum	Tanzu Greenplum on Kubernetes versions antérieures à 1.1.0
VMware	Tanzu Greenplum	Tanzu Greenplum Platform Extension Framework versions antérieures à 8.0.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.2.x antérieures à 4.2.6
VMware	Tanzu Greenplum	Tanzu Greenplum Text versions antérieures à 4.0.0
VMware	Tanzu Greenplum	Tanzu Greenplum Streaming Server versions antérieures à 2.3.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.3.x antérieures à 4.3.0
VMware	Tanzu	Tanzu for Valkey on Kubernetes versions antérieures à 3.4.0
VMware	Tanzu Gemfire	Tanzu GemFire versions antérieures à 10.2.3
VMware	Tanzu Greenplum	Tanzu Greenplum Upgrade versions antérieures à 2.0.0
VMware	Tanzu Greenplum	Tanzu Greenplumversions antérieures à 7.8.0
VMware	Tanzu Gemfire	Tanzu GemFire Vector Database versions antérieures à 1.2.2
VMware	Tanzu Greenplum	Tanzu Greenplum versions antérieures à 6.33.0
VMware	Tanzu Greenplum	Tanzu Greenplum Command Center versions 7.7.x antérieures à 7.7.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.1.x antérieures à 4.1.11
VMware	Tanzu	Tanzu for MySQL on Kubernetes versions antérieures à 2.0.3

References

Title

Publication Time

CERTFR-2026-AVI-0627

Vulnerability from certfr_avis - Published: 2026-05-21 - Updated: 2026-05-21

De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Splunk	Splunk Enterprise	Splunk Enterprise versions 10.2.x antérieures à 10.2.3
Splunk	N/A	Splunk AI Toolkit versions 5.7.x antérieures à 5.7.3
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 9.3.2411 antérieures à 9.3.2411.129
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 10.3.2512 antérieures à 10.3.2512.9
Splunk	Splunk	image Docker Splunk versions 10.2.x antérieures à 10.2.2
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 10.4.2603 antérieures à 10.4.2603.1
Splunk	Splunk AppDynamics Database Agent	Splunk AppDynamics Database Agent versions antérieures à 26.4.0
Splunk	Splunk	image Docker Splunk versions 9.4.x antérieures à 9.4.10
Splunk	Splunk User Behavior Analytics (UBA)	Splunk User Behavior Analytics versions 5.4.x antérieures à 5.4.5
Splunk	Splunk AppDynamics Private Synthetic Agent	Splunk AppDynamics Private Synthetic Agent versions antérieures à 26.4.0
Splunk	Splunk AppDynamics Analytics Agent	Splunk AppDynamics Analytics Agent versions antérieures à 26.4.0
Splunk	N/A	Splunk AppDynamics Cluster Agent versions antérieures à 26.4.0
Splunk	Splunk AppDynamics Machine Agent	Splunk AppDynamics Machine Agent versions antérieures à 26.4.0
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 10.2.2510 antérieures à 10.2.2510.11
Splunk	N/A	Splunk AppDynamics Python Agent versions antérieures à 26.4.1
Splunk	Splunk	image Docker Splunk versions 10.0.x antérieures à 10.0.5
Splunk	N/A	Splunk Add-on for Tomcat versions 3.3.x antérieures à 3.3.1
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 10.1.2507 antérieures à 10.1.2507.21
Splunk	Splunk Enterprise	Splunk Enterprise versions 10.0.x antérieures à 10.0.6
Splunk	N/A	Splunk AppDynamics Apache Web Server Agent versions 25.11.x antérieures à 25.11.1
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.4.x antérieures à 9.4.11
Splunk	Splunk	image Docker Splunk versions 9.3.x antérieures à 9.3.11
Splunk	Splunk Cloud Platform	Splunk Cloud Platform versions 10.0.2503 antérieures à 10.0.2503.13
Splunk	Universal Forwarder	Splunk Universal Forwarder versions 9.4.x antérieures à 9.4.11
Splunk	Splunk Enterprise	Splunk Enterprise versions 9.3.x antérieures à 9.3.12
Splunk	Splunk AppDynamics Java Agent	Splunk AppDynamics Java Agent versions antérieures à 26.4.0

References

Title

Publication Time

CNVD-2018-05906

Vulnerability from cnvd - Published: 2018-03-21

Title

FasterXML jackson-databind代码执行漏洞

Description

FasterXML Jackson是美国FasterXML公司的一款用于Java的数据处理工具。Jackson-databind是其中的一个具有数据绑定功能的组件。 FasterXML jackson-databind 2.8.11.1之前版本和2.9.5之前的2.9.x版本中存在安全漏洞。远程攻击者可通过向ObjectMapper的readValue方法发送恶意制作的JSON输入。攻击者可利用该漏洞执行代码。

Severity

高

Patch Name

FasterXML jackson-databind代码执行漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/FasterXML/jackson-databind/issues/1931

Reference

https://github.com/FasterXML/jackson-databind/issues/1931

Impacted products

Name
['FasterXML jackson-databind >=2.9.x，<=2.9.3', 'FasterXML jackson-databind <2.8.11.1，2.9.*，<2.9.5']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-7489"
    }
  },
  "description": "FasterXML Jackson\u662f\u7f8e\u56fdFasterXML\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8eJava\u7684\u6570\u636e\u5904\u7406\u5de5\u5177\u3002Jackson-databind\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5177\u6709\u6570\u636e\u7ed1\u5b9a\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\n\r\nFasterXML jackson-databind 2.8.11.1\u4e4b\u524d\u7248\u672c\u548c2.9.5\u4e4b\u524d\u76842.9.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411ObjectMapper\u7684readValue\u65b9\u6cd5\u53d1\u9001\u6076\u610f\u5236\u4f5c\u7684JSON\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/FasterXML/jackson-databind/issues/1931",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-05906",
  "openTime": "2018-03-21",
  "patchDescription": "FasterXML Jackson\u662f\u7f8e\u56fdFasterXML\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8eJava\u7684\u6570\u636e\u5904\u7406\u5de5\u5177\u3002Jackson-databind\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5177\u6709\u6570\u636e\u7ed1\u5b9a\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\n\r\nFasterXML jackson-databind 2.8.11.1\u4e4b\u524d\u7248\u672c\u548c2.9.5\u4e4b\u524d\u76842.9.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411ObjectMapper\u7684readValue\u65b9\u6cd5\u53d1\u9001\u6076\u610f\u5236\u4f5c\u7684JSON\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "FasterXML jackson-databind\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "FasterXML jackson-databind \u003e=2.9.x\uff0c\u003c=2.9.3",
      "FasterXML jackson-databind \u003c2.8.11.1\uff0c2.9.*\uff0c\u003c2.9.5"
    ]
  },
  "referenceLink": "https://github.com/FasterXML/jackson-databind/issues/1931",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-28",
  "title": "FasterXML jackson-databind\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

FKIE_CVE-2018-7489

Vulnerability from fkie_nvd - Published: 2018-02-26 15:29 - Updated: 2024-11-21 04:12

Severity

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch
cve@mitre.org	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch
cve@mitre.org	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch
cve@mitre.org	http://www.securityfocus.com/bid/103203	Third Party Advisory, VDB Entry
cve@mitre.org	http://www.securitytracker.com/id/1040693	Third Party Advisory, VDB Entry
cve@mitre.org	http://www.securitytracker.com/id/1041890	Third Party Advisory, VDB Entry
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1447	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1448	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1449	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1450	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1451	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:1786	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:2088	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:2089	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:2090	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:2938	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
cve@mitre.org	https://access.redhat.com/errata/RHSA-2019:2858
cve@mitre.org	https://access.redhat.com/errata/RHSA-2019:3149
cve@mitre.org	https://github.com/FasterXML/jackson-databind/issues/1931	Third Party Advisory
cve@mitre.org	https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
cve@mitre.org	https://security.netapp.com/advisory/ntap-20180328-0001/	Third Party Advisory
cve@mitre.org	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us	Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2018/dsa-4190	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpuoct2020.html
cve@mitre.org	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch, Third Party Advisory
cve@mitre.org	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch, Third Party Advisory
cve@mitre.org	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/103203	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1040693	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1041890	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1447	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1448	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1449	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1450	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1451	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:1786	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2088	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2089	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2090	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2938	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:2858
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:3149
af854a3a-2127-422b-91ae-364da2661108	https://github.com/FasterXML/jackson-databind/issues/1931	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20180328-0001/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2018/dsa-4190	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuoct2020.html
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch

Impacted products

Vendor	Product	Version
fasterxml	jackson-databind	*
fasterxml	jackson-databind	*
fasterxml	jackson-databind	*
debian	debian_linux	8.0
debian	debian_linux	9.0
oracle	communications_billing_and_revenue_management	7.5
oracle	communications_billing_and_revenue_management	12.0
oracle	communications_instant_messaging_server	10.0.1
redhat	jboss_enterprise_application_platform	6.4.19
redhat	jboss_enterprise_application_platform	7.1.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2EC8E14E-7532-4721-9D8B-7A51F72541CA",
              "versionEndExcluding": "2.7.9.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "53CC2248-EC84-4B3E-B5F3-E691C81377C0",
              "versionEndExcluding": "2.8.11.1",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8E95FD1-112C-4BBA-B1C5-BBE204B59C62",
              "versionEndExcluding": "2.9.5",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6039DC7-08F2-4DD9-B5B5-B6B22DD2409F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7231AF76-3D46-41C4-83E9-6E9E12940BD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "622B95F1-8FA4-4AA6-9B68-5FE4302BA150",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "07740FE5-11D9-4562-9C38-2363718A5ECE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "60ADCB1D-CCD4-4680-8589-20AA1E385234",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
    },
    {
      "lang": "es",
      "value": "FasterXML jackson-databind, en versiones anteriores a la 2.7.9.3, versiones 2.8.x anteriores a la 2.8.11.1 y las versiones 2.9.x anteriores a la 2.9.5, permite la ejecuci\u00f3n remota de c\u00f3digo sin autenticar debido a una soluci\u00f3n incompleta para el error de deserializaci\u00f3n CVE-2017-7525. Esto puede explotarse mediante el env\u00edo de entradas JSON maliciosamente manipuladas al m\u00e9todo readValue de ObjectMapper, omitiendo una lista negra no efectiva si las librer\u00edas c3p0 est\u00e1n disponibles en la classpath."
    }
  ],
  "id": "CVE-2018-7489",
  "lastModified": "2024-11-21T04:12:13.653",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-02-26T15:29:00.417",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103203"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1040693"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1041890"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1447"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1448"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1449"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1450"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1451"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1786"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2088"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2089"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2090"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2938"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2939"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4190"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103203"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1040693"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1041890"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1447"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1448"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1449"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1450"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1451"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:1786"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2088"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2089"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2090"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2938"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2939"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4190"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        },
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-CGGJ-FVV3-CQWV

Vulnerability from github – Published: 2018-10-16 17:45 – Updated: 2024-03-15 01:08

Summary

FasterXML jackson-databind allows unauthenticated remote code execution

Details

FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Severity

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.11.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-7489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:31:30Z",
    "nvd_published_at": "2018-02-26T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
  "id": "GHSA-cggj-fvv3-cqwv",
  "modified": "2024-03-15T01:08:04Z",
  "published": "2018-10-16T17:45:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4190"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180328-0001"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cggj-fvv3-cqwv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2939"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2938"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2090"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2089"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1786"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1451"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1450"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1449"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1448"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1447"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FasterXML jackson-databind allows unauthenticated remote code execution "
}

GSD-2018-7489

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-7489

Aliases

CVE-2018-7489

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-7489",
    "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
    "id": "GSD-2018-7489",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-7489.html",
      "https://www.debian.org/security/2018/dsa-4190",
      "https://access.redhat.com/errata/RHSA-2020:2562",
      "https://access.redhat.com/errata/RHSA-2019:3149",
      "https://access.redhat.com/errata/RHSA-2019:2858",
      "https://access.redhat.com/errata/RHSA-2018:2939",
      "https://access.redhat.com/errata/RHSA-2018:2938",
      "https://access.redhat.com/errata/RHSA-2018:2090",
      "https://access.redhat.com/errata/RHSA-2018:2089",
      "https://access.redhat.com/errata/RHSA-2018:2088",
      "https://access.redhat.com/errata/RHEA-2018:2082",
      "https://access.redhat.com/errata/RHSA-2018:1786",
      "https://access.redhat.com/errata/RHSA-2018:1451",
      "https://access.redhat.com/errata/RHSA-2018:1450",
      "https://access.redhat.com/errata/RHSA-2018:1449",
      "https://access.redhat.com/errata/RHSA-2018:1448",
      "https://access.redhat.com/errata/RHSA-2018:1447"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-7489"
      ],
      "details": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
      "id": "GSD-2018-7489",
      "modified": "2023-12-13T01:22:33.013601Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-7489",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "103203",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/103203"
          },
          {
            "name": "RHSA-2018:1448",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1448"
          },
          {
            "name": "RHSA-2018:1449",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1449"
          },
          {
            "name": "RHSA-2018:2938",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2938"
          },
          {
            "name": "RHSA-2018:1450",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1450"
          },
          {
            "name": "RHSA-2018:2090",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2090"
          },
          {
            "name": "RHSA-2018:2939",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2939"
          },
          {
            "name": "1041890",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1041890"
          },
          {
            "name": "1040693",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1040693"
          },
          {
            "name": "RHSA-2018:1786",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1786"
          },
          {
            "name": "RHSA-2018:1451",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1451"
          },
          {
            "name": "DSA-4190",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4190"
          },
          {
            "name": "RHSA-2018:1447",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:1447"
          },
          {
            "name": "RHSA-2018:2088",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2088"
          },
          {
            "name": "RHSA-2018:2089",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2089"
          },
          {
            "name": "RHSA-2019:2858",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "RHSA-2019:3149",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
          },
          {
            "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
          },
          {
            "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
          },
          {
            "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
            "refsource": "CONFIRM",
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
            "refsource": "CONFIRM",
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20180328-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
          },
          {
            "name": "https://github.com/FasterXML/jackson-databind/issues/1931",
            "refsource": "CONFIRM",
            "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
          },
          {
            "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.7.9.3),[2.8.0,2.8.11.1),[2.9.0,2.9.5)",
          "affected_versions": "All versions before 2.7.9.3, all versions starting from 2.8.0 before 2.8.11.1, all versions starting from 2.9.0 before 2.9.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-184",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2019-09-27",
          "description": "FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the `readValue` method of the `ObjectMapper`, bypassing a denylist that is ineffective if the `c3p0` libraries are available in the classpath.",
          "fixed_versions": [
            "2.7.9.3",
            "2.8.11.1",
            "2.9.5"
          ],
          "identifier": "CVE-2018-7489",
          "identifiers": [
            "CVE-2018-7489"
          ],
          "not_impacted": "All versions starting from 2.7.9.3 before 2.8.0, all versions starting from 2.8.11.1 before 2.9.0, all versions starting from 2.9.5",
          "package_slug": "maven/com.fasterxml.jackson.core/jackson-databind",
          "pubdate": "2018-02-26",
          "solution": "Upgrade to versions 2.7.9.3, 2.8.11.1, 2.9.5 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-7489",
            "http://www.securityfocus.com/bid/103203",
            "http://www.securitytracker.com/id/1040693",
            "http://www.securitytracker.com/id/1041890",
            "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
            "https://github.com/FasterXML/jackson-databind/issues/1931",
            "https://security.netapp.com/advisory/ntap-20180328-0001/",
            "https://www.debian.org/security/2018/dsa-4190"
          ],
          "uuid": "0a647516-66dc-4381-9da7-601193d849e6"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.11.1",
                "versionStartIncluding": "2.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.9.5",
                "versionStartIncluding": "2.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.9.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-7489"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-184"
                },
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/1931",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
            },
            {
              "name": "103203",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/103203"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180328-0001/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
            },
            {
              "name": "1040693",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1040693"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "name": "DSA-4190",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2018/dsa-4190"
            },
            {
              "name": "RHSA-2018:1451",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1451"
            },
            {
              "name": "RHSA-2018:1450",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1450"
            },
            {
              "name": "RHSA-2018:1449",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1449"
            },
            {
              "name": "RHSA-2018:1448",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1448"
            },
            {
              "name": "RHSA-2018:1447",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1447"
            },
            {
              "name": "RHSA-2018:1786",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1786"
            },
            {
              "name": "RHSA-2018:2090",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2090"
            },
            {
              "name": "RHSA-2018:2089",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2089"
            },
            {
              "name": "RHSA-2018:2088",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2088"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "name": "1041890",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1041890"
            },
            {
              "name": "RHSA-2018:2939",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2939"
            },
            {
              "name": "RHSA-2018:2938",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2938"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "tags": [],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-03-25T01:15Z",
      "publishedDate": "2018-02-26T15:29Z"
    }
  }
}

OPENSUSE-SU-2024:10868-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

jackson-databind-2.10.5.1-2.2 on GA media

Severity

Moderate

Notes

Title of the patch: jackson-databind-2.10.5.1-2.2 on GA media

Description of the patch: These are all security issues fixed in the jackson-databind-2.10.5.1-2.2 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-10868

CVE-2018-11307

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2018-12022

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2018-12023

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2018-14718

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2018-14721

10 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2018-19360

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2018-19361

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2018-7489

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2019-12086

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2019-12384

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2019-12814

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2019-14379

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2019-14439

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2019-14540

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2019-14893

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2019-16942

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2019-17267

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2019-17531

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2019-20330

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-25649

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2020-35728

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-20190

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64	—	Vendor Fix

Threats

Impact important

References

59 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2018-11307/	self
https://www.suse.com/security/cve/CVE-2018-12022/	self
https://www.suse.com/security/cve/CVE-2018-12023/	self
https://www.suse.com/security/cve/CVE-2018-14718/	self
https://www.suse.com/security/cve/CVE-2018-14721/	self
https://www.suse.com/security/cve/CVE-2018-19360/	self
https://www.suse.com/security/cve/CVE-2018-19361/	self
https://www.suse.com/security/cve/CVE-2018-7489/	self
https://www.suse.com/security/cve/CVE-2019-12086/	self
https://www.suse.com/security/cve/CVE-2019-12384/	self
https://www.suse.com/security/cve/CVE-2019-12814/	self
https://www.suse.com/security/cve/CVE-2019-14379/	self
https://www.suse.com/security/cve/CVE-2019-14439/	self
https://www.suse.com/security/cve/CVE-2019-14540/	self
https://www.suse.com/security/cve/CVE-2019-14893/	self
https://www.suse.com/security/cve/CVE-2019-16942/	self
https://www.suse.com/security/cve/CVE-2019-17267/	self
https://www.suse.com/security/cve/CVE-2019-17531/	self
https://www.suse.com/security/cve/CVE-2019-20330/	self
https://www.suse.com/security/cve/CVE-2020-25649/	self
https://www.suse.com/security/cve/CVE-2020-35728/	self
https://www.suse.com/security/cve/CVE-2021-20190/	self
https://www.suse.com/security/cve/CVE-2018-11307	external
https://www.suse.com/security/cve/CVE-2018-12022	external
https://www.suse.com/security/cve/CVE-2018-12023	external
https://www.suse.com/security/cve/CVE-2018-14718	external
https://www.suse.com/security/cve/CVE-2018-14721	external
https://www.suse.com/security/cve/CVE-2018-19360	external
https://www.suse.com/security/cve/CVE-2018-19361	external
https://www.suse.com/security/cve/CVE-2018-7489	external
https://bugzilla.suse.com/1202327	external
https://www.suse.com/security/cve/CVE-2019-12086	external
https://bugzilla.suse.com/1202327	external
https://www.suse.com/security/cve/CVE-2019-12384	external
https://www.suse.com/security/cve/CVE-2019-12814	external
https://www.suse.com/security/cve/CVE-2019-14379	external
https://bugzilla.suse.com/1165035	external
https://www.suse.com/security/cve/CVE-2019-14439	external
https://bugzilla.suse.com/1165034	external
https://www.suse.com/security/cve/CVE-2019-14540	external
https://bugzilla.suse.com/1165038	external
https://bugzilla.suse.com/1165039	external
https://www.suse.com/security/cve/CVE-2019-14893	external
https://bugzilla.suse.com/1157186	external
https://www.suse.com/security/cve/CVE-2019-16942	external
https://bugzilla.suse.com/1165041	external
https://www.suse.com/security/cve/CVE-2019-17267	external
https://bugzilla.suse.com/1165044	external
https://www.suse.com/security/cve/CVE-2019-17531	external
https://www.suse.com/security/cve/CVE-2019-20330	external
https://bugzilla.suse.com/1160113	external
https://www.suse.com/security/cve/CVE-2020-25649	external
https://bugzilla.suse.com/1177616	external
https://www.suse.com/security/cve/CVE-2020-35728	external
https://bugzilla.suse.com/1180391	external
https://www.suse.com/security/cve/CVE-2021-20190	external
https://bugzilla.suse.com/1181118	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jackson-databind-2.10.5.1-2.2 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jackson-databind-2.10.5.1-2.2 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-10868",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10868-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-11307 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-11307/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-12022 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-12022/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-12023 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-12023/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-14718 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-14718/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-14721 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-14721/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-19360 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-19360/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-19361 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-19361/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-7489 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-7489/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-12086 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-12086/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-12384 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-12384/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-12814 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-12814/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14379 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14379/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14439 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14439/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14540 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14540/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14893 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14893/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16942 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16942/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-17267 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-17267/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-17531 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-17531/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-20330 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-20330/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-25649 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-25649/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-35728 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-35728/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-20190 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-20190/"
      }
    ],
    "title": "jackson-databind-2.10.5.1-2.2 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:10868-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.10.5.1-2.2.aarch64",
                "product": {
                  "name": "jackson-databind-2.10.5.1-2.2.aarch64",
                  "product_id": "jackson-databind-2.10.5.1-2.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
                "product": {
                  "name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
                  "product_id": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.10.5.1-2.2.ppc64le",
                "product": {
                  "name": "jackson-databind-2.10.5.1-2.2.ppc64le",
                  "product_id": "jackson-databind-2.10.5.1-2.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
                "product": {
                  "name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
                  "product_id": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.10.5.1-2.2.s390x",
                "product": {
                  "name": "jackson-databind-2.10.5.1-2.2.s390x",
                  "product_id": "jackson-databind-2.10.5.1-2.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
                "product": {
                  "name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
                  "product_id": "jackson-databind-javadoc-2.10.5.1-2.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.10.5.1-2.2.x86_64",
                "product": {
                  "name": "jackson-databind-2.10.5.1-2.2.x86_64",
                  "product_id": "jackson-databind-2.10.5.1-2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
                "product": {
                  "name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
                  "product_id": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.10.5.1-2.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64"
        },
        "product_reference": "jackson-databind-2.10.5.1-2.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.10.5.1-2.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le"
        },
        "product_reference": "jackson-databind-2.10.5.1-2.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.10.5.1-2.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x"
        },
        "product_reference": "jackson-databind-2.10.5.1-2.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.10.5.1-2.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64"
        },
        "product_reference": "jackson-databind-2.10.5.1-2.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64"
        },
        "product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le"
        },
        "product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.10.5.1-2.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x"
        },
        "product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        },
        "product_reference": "jackson-databind-javadoc-2.10.5.1-2.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-11307",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-11307"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-11307",
          "url": "https://www.suse.com/security/cve/CVE-2018-11307"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-11307"
    },
    {
      "cve": "CVE-2018-12022",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-12022"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-12022",
          "url": "https://www.suse.com/security/cve/CVE-2018-12022"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-12022"
    },
    {
      "cve": "CVE-2018-12023",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-12023"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-12023",
          "url": "https://www.suse.com/security/cve/CVE-2018-12023"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-12023"
    },
    {
      "cve": "CVE-2018-14718",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-14718"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-14718",
          "url": "https://www.suse.com/security/cve/CVE-2018-14718"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-14718"
    },
    {
      "cve": "CVE-2018-14721",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-14721"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-14721",
          "url": "https://www.suse.com/security/cve/CVE-2018-14721"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-14721"
    },
    {
      "cve": "CVE-2018-19360",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-19360"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-19360",
          "url": "https://www.suse.com/security/cve/CVE-2018-19360"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-19360"
    },
    {
      "cve": "CVE-2018-19361",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-19361"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-19361",
          "url": "https://www.suse.com/security/cve/CVE-2018-19361"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-19361"
    },
    {
      "cve": "CVE-2018-7489",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-7489"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-7489",
          "url": "https://www.suse.com/security/cve/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1202327 for CVE-2018-7489",
          "url": "https://bugzilla.suse.com/1202327"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-7489"
    },
    {
      "cve": "CVE-2019-12086",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-12086"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-12086",
          "url": "https://www.suse.com/security/cve/CVE-2019-12086"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1202327 for CVE-2019-12086",
          "url": "https://bugzilla.suse.com/1202327"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-12086"
    },
    {
      "cve": "CVE-2019-12384",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-12384"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-12384",
          "url": "https://www.suse.com/security/cve/CVE-2019-12384"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-12384"
    },
    {
      "cve": "CVE-2019-12814",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-12814"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-12814",
          "url": "https://www.suse.com/security/cve/CVE-2019-12814"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-12814"
    },
    {
      "cve": "CVE-2019-14379",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14379"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14379",
          "url": "https://www.suse.com/security/cve/CVE-2019-14379"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165035 for CVE-2019-14379",
          "url": "https://bugzilla.suse.com/1165035"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2019-14379"
    },
    {
      "cve": "CVE-2019-14439",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14439"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14439",
          "url": "https://www.suse.com/security/cve/CVE-2019-14439"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165034 for CVE-2019-14439",
          "url": "https://bugzilla.suse.com/1165034"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-14439"
    },
    {
      "cve": "CVE-2019-14540",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14540"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14540",
          "url": "https://www.suse.com/security/cve/CVE-2019-14540"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165038 for CVE-2019-14540",
          "url": "https://bugzilla.suse.com/1165038"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165039 for CVE-2019-14540",
          "url": "https://bugzilla.suse.com/1165039"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-14540"
    },
    {
      "cve": "CVE-2019-14893",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14893"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14893",
          "url": "https://www.suse.com/security/cve/CVE-2019-14893"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1157186 for CVE-2019-14893",
          "url": "https://bugzilla.suse.com/1157186"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2019-14893"
    },
    {
      "cve": "CVE-2019-16942",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16942"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16942",
          "url": "https://www.suse.com/security/cve/CVE-2019-16942"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165041 for CVE-2019-16942",
          "url": "https://bugzilla.suse.com/1165041"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2019-16942"
    },
    {
      "cve": "CVE-2019-17267",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-17267"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-17267",
          "url": "https://www.suse.com/security/cve/CVE-2019-17267"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1165044 for CVE-2019-17267",
          "url": "https://bugzilla.suse.com/1165044"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-17267"
    },
    {
      "cve": "CVE-2019-17531",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-17531"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-17531",
          "url": "https://www.suse.com/security/cve/CVE-2019-17531"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2019-17531"
    },
    {
      "cve": "CVE-2019-20330",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-20330"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-20330",
          "url": "https://www.suse.com/security/cve/CVE-2019-20330"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1160113 for CVE-2019-20330",
          "url": "https://bugzilla.suse.com/1160113"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-20330"
    },
    {
      "cve": "CVE-2020-25649",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-25649"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-25649",
          "url": "https://www.suse.com/security/cve/CVE-2020-25649"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177616 for CVE-2020-25649",
          "url": "https://bugzilla.suse.com/1177616"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-25649"
    },
    {
      "cve": "CVE-2020-35728",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-35728"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-35728",
          "url": "https://www.suse.com/security/cve/CVE-2020-35728"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1180391 for CVE-2020-35728",
          "url": "https://bugzilla.suse.com/1180391"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-35728"
    },
    {
      "cve": "CVE-2021-20190",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-20190"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-20190",
          "url": "https://www.suse.com/security/cve/CVE-2021-20190"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1181118 for CVE-2021-20190",
          "url": "https://bugzilla.suse.com/1181118"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.10.5.1-2.2.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.10.5.1-2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-20190"
    }
  ]
}

OPENSUSE-SU-2024:10886-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

kafka-source-2.1.0-3.6 on GA media

Severity

Moderate

Notes

Title of the patch: kafka-source-2.1.0-3.6 on GA media

Description of the patch: These are all security issues fixed in the kafka-source-2.1.0-3.6 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-10886

CVE-2018-1288

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2018-7489

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64	—	Vendor Fix

Threats

Impact critical

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2018-1288/	self
https://www.suse.com/security/cve/CVE-2018-7489/	self
https://www.suse.com/security/cve/CVE-2018-1288	external
https://bugzilla.suse.com/1102920	external
https://www.suse.com/security/cve/CVE-2018-7489	external
https://bugzilla.suse.com/1202327	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "kafka-source-2.1.0-3.6 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the kafka-source-2.1.0-3.6 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-10886",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10886-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1288 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1288/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-7489 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-7489/"
      }
    ],
    "title": "kafka-source-2.1.0-3.6 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:10886-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kafka-source-2.1.0-3.6.aarch64",
                "product": {
                  "name": "kafka-source-2.1.0-3.6.aarch64",
                  "product_id": "kafka-source-2.1.0-3.6.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kafka-source-2.1.0-3.6.ppc64le",
                "product": {
                  "name": "kafka-source-2.1.0-3.6.ppc64le",
                  "product_id": "kafka-source-2.1.0-3.6.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kafka-source-2.1.0-3.6.s390x",
                "product": {
                  "name": "kafka-source-2.1.0-3.6.s390x",
                  "product_id": "kafka-source-2.1.0-3.6.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kafka-source-2.1.0-3.6.x86_64",
                "product": {
                  "name": "kafka-source-2.1.0-3.6.x86_64",
                  "product_id": "kafka-source-2.1.0-3.6.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-source-2.1.0-3.6.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64"
        },
        "product_reference": "kafka-source-2.1.0-3.6.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-source-2.1.0-3.6.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le"
        },
        "product_reference": "kafka-source-2.1.0-3.6.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-source-2.1.0-3.6.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x"
        },
        "product_reference": "kafka-source-2.1.0-3.6.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-source-2.1.0-3.6.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
        },
        "product_reference": "kafka-source-2.1.0-3.6.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1288",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1288"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1288",
          "url": "https://www.suse.com/security/cve/CVE-2018-1288"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1102920 for CVE-2018-1288",
          "url": "https://bugzilla.suse.com/1102920"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-1288"
    },
    {
      "cve": "CVE-2018-7489",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-7489"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
          "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-7489",
          "url": "https://www.suse.com/security/cve/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1202327 for CVE-2018-7489",
          "url": "https://bugzilla.suse.com/1202327"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.aarch64",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.ppc64le",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.s390x",
            "openSUSE Tumbleweed:kafka-source-2.1.0-3.6.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2018-7489"
    }
  ]
}

RHEA-2018:2082

Vulnerability from csaf_redhat - Published: 2018-06-28 07:27 - Updated: 2026-05-14 18:25

Summary

Red Hat Enhancement Advisory: rhvm-appliance enhancement update

Severity

Moderate

Notes

Topic: An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL-7.

Details: The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2018-7489

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the c3p0 gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 - Improper Input Validation

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHEA-2018:2082	self
https://bugzilla.redhat.com/show_bug.cgi?id=1582507	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2018-7489	self
https://bugzilla.redhat.com/show_bug.cgi?id=1549276	external
https://www.cve.org/CVERecord?id=CVE-2018-7489	external
https://nvd.nist.gov/vuln/detail/CVE-2018-7489	external
https://access.redhat.com/solutions/3442891	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL-7.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2018:2082",
        "url": "https://access.redhat.com/errata/RHEA-2018:2082"
      },
      {
        "category": "external",
        "summary": "1582507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582507"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhea-2018_2082.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: rhvm-appliance enhancement update",
    "tracking": {
      "current_release_date": "2026-05-14T18:25:13+00:00",
      "generator": {
        "date": "2026-05-14T18:25:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHEA-2018:2082",
      "initial_release_date": "2018-06-28T07:27:04+00:00",
      "revision_history": [
        {
          "date": "2018-06-28T07:27:04+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-06-28T07:27:04+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-14T18:25:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
                "product": {
                  "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
                  "product_id": "7Server-RHEV-4-Agents-7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
                "product": {
                  "name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
                  "product_id": "7Server-RHEV-4-Hypervisor-7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                "product": {
                  "name": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                  "product_id": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhvm-appliance@4.2-20180620.0.el7?arch=src\u0026epoch=2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                "product": {
                  "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                  "product_id": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhvm-appliance@4.2-20180620.0.el7?arch=noarch\u0026epoch=2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
          "product_id": "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
        "relates_to_product_reference": "7Server-RHEV-4-Agents-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
          "product_id": "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.src",
        "relates_to_product_reference": "7Server-RHEV-4-Agents-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
          "product_id": "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
        "relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
          "product_id": "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.src",
        "relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-7489",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2018-02-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1549276"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the c3p0 gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.\n\nSatellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected.  Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
          "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
          "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
          "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "RHBZ#1549276",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549276"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-7489",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/3442891",
          "url": "https://access.redhat.com/solutions/3442891"
        }
      ],
      "release_date": "2018-02-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-06-28T07:27:04+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
          "product_ids": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2018:2082"
        },
        {
          "category": "workaround",
          "details": "Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:\n\nhttps://access.redhat.com/solutions/3279231\nhttps://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization\n\nGeneral Mitigation: \nTry to avoid  \n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries"
    }
  ]
}

RHEA-2018_2082

Vulnerability from csaf_redhat - Published: 2018-06-28 07:27 - Updated: 2024-11-15 03:03

Summary

Red Hat Enhancement Advisory: rhvm-appliance enhancement update

Severity

Moderate

Notes

Topic: An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL-7.

CVE-2018-7489

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 - Improper Input Validation

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHEA-2018:2082	self
https://bugzilla.redhat.com/show_bug.cgi?id=1582507	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2018-7489	self
https://bugzilla.redhat.com/show_bug.cgi?id=1549276	external
https://www.cve.org/CVERecord?id=CVE-2018-7489	external
https://nvd.nist.gov/vuln/detail/CVE-2018-7489	external
https://access.redhat.com/solutions/3442891	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL-7.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2018:2082",
        "url": "https://access.redhat.com/errata/RHEA-2018:2082"
      },
      {
        "category": "external",
        "summary": "1582507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582507"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhea-2018_2082.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: rhvm-appliance enhancement update",
    "tracking": {
      "current_release_date": "2024-11-15T03:03:21+00:00",
      "generator": {
        "date": "2024-11-15T03:03:21+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHEA-2018:2082",
      "initial_release_date": "2018-06-28T07:27:04+00:00",
      "revision_history": [
        {
          "date": "2018-06-28T07:27:04+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-06-28T07:27:04+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T03:03:21+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
                "product": {
                  "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
                  "product_id": "7Server-RHEV-4-Agents-7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
                "product": {
                  "name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
                  "product_id": "7Server-RHEV-4-Hypervisor-7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                "product": {
                  "name": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                  "product_id": "rhvm-appliance-2:4.2-20180620.0.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhvm-appliance@4.2-20180620.0.el7?arch=src\u0026epoch=2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                "product": {
                  "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                  "product_id": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhvm-appliance@4.2-20180620.0.el7?arch=noarch\u0026epoch=2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
          "product_id": "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
        "relates_to_product_reference": "7Server-RHEV-4-Agents-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
          "product_id": "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.src",
        "relates_to_product_reference": "7Server-RHEV-4-Agents-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
          "product_id": "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.noarch",
        "relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhvm-appliance-2:4.2-20180620.0.el7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
          "product_id": "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        },
        "product_reference": "rhvm-appliance-2:4.2-20180620.0.el7.src",
        "relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-7489",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2018-02-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1549276"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.\n\nSatellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected.  Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
          "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
          "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
          "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "RHBZ#1549276",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549276"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-7489",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/3442891",
          "url": "https://access.redhat.com/solutions/3442891"
        }
      ],
      "release_date": "2018-02-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-06-28T07:27:04+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
          "product_ids": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2018:2082"
        },
        {
          "category": "workaround",
          "details": "Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:\n\nhttps://access.redhat.com/solutions/3279231\nhttps://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization\n\nGeneral Mitigation: \nTry to avoid  \n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Agents-7:rhvm-appliance-2:4.2-20180620.0.el7.src",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.noarch",
            "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-2:4.2-20180620.0.el7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-7489 (GCVE-0-2018-7489)

Solutions

Solutions

Tags

Sightings

Nomenclature