8.1
CVE-2018-5968
- EPSS 2.12%
- Veröffentlicht 22.01.2018 04:29:00
- Zuletzt bearbeitet 21.11.2024 04:09:46
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.3
Fasterxml ≫ Jackson-databind Version >= 2.7.0 < 2.7.9.2
Fasterxml ≫ Jackson-databind Version >= 2.8.0 < 2.8.11.1
Fasterxml ≫ Jackson-databind Version >= 2.9.0 < 2.9.4
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Redhat ≫ Openshift Container Platform Version4.1
Redhat ≫ Virtualization Version4.0
Redhat ≫ Virtualization Host Version4.0
Redhat ≫ Jboss Enterprise Application Platform Version7.1
Redhat ≫ Openshift Container Platform Version3.11
Netapp ≫ E-series Santricity Os Controller Version >= 11.0.0 <= 11.60.3
Netapp ≫ E-series Santricity Web Services Proxy Version-
Netapp ≫ Oncommand Shift Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.12% | 0.834 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-184 Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.