9.8

CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 20.14% 0.971
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Patch
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Patch
https://www.oracle.com/security-alerts/cpuoct2020.html
https://access.redhat.com/errata/RHSA-2018:1447
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1448
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1451
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2018:2938
Third Party Advisory
http://www.securityfocus.com/bid/103203
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1040693
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1041890
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:1786
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2088
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2089
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2090
Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/1931
Third Party Advisory
https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
https://security.netapp.com/advisory/ntap-20180328-0001/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4190
Third Party Advisory