CVE-2018-1000873 — Improper Input Validation in Jackson-modules-java8

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data12 documents6 sources

Severity

6.5MEDIUMNVD

GHSA9.8

EPSS

2.2%

top 15.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-modules-java8 Oracle Global Lifecycle Management Opatch Oracle Nosql Database +3 more

Timeline

PublishedDec 20

Latest updateMay 24

Description

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶NVDfasterxml/jackson-modules-java8< 2.9.8

▶NVDoracle/nosql_database< 19.3.12

▶NVDoracle/global_lifecycle_management_opatch12.2.0.1.0 — 12.2.0.1.19+2

▶NVDoracle/clusterware12.1.0.2.0

▶NVDoracle/database_server4 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl↗2022-05-24

▶

OSV

Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353↗2018-12-21

▶

GHSA

Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353↗2018-12-21

▶

CVEList

CVE-2018-1000873: Fasterxml Jackson version Before 2↗2018-12-20

▶

OSV

CVE-2018-1000873: Fasterxml Jackson version Before 2↗2018-12-20

▶

📋Vendor Advisories

Red Hat

codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-09-30

▶

Red Hat

jackson-modules-java8: DoS due to an Improper Input Validation↗2018-10-24

▶

💬Community

Bugzilla

CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-07-18

▶

Bugzilla

CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all]↗2019-01-17

▶

Bugzilla

CVE-2018-1000873 jackson-databind: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all]↗2019-01-11

▶

Bugzilla

CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation↗2019-01-11

▶