CVE-2018-11307Deserialization of Untrusted Data in Jackson-databind

CWE-502Deserialization of Untrusted Data10 documents8 sources
Severity
9.8CRITICALNVD
EPSS
12.6%
top 6.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Fasterxml Jackson-databindOracle Global Lifecycle Management OpatchOracle Clusterware+4 more
Timeline
PublishedJul 9
Latest updateMar 15

Description

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

NVDfasterxml/jackson-databind2.0.02.6.7.3+3
Debianfasterxml/jackson-databind< 2.9.8-1+3
Ubuntufasterxml/jackson-databind< 2.4.2-3ubuntu0.1~esm2
NVDoracle/global_lifecycle_management_opatch12.2.0.1.012.2.0.1.19+2
NVDoracle/clusterware12.1.0.2.0

Also affects: Openshift Container Platform 3.11, 4.1

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
jackson-databind vulnerabilities2021-03-15
OSV
Deserialization of Untrusted Data in jackson-databind2019-07-16
GHSA
Deserialization of Untrusted Data in jackson-databind2019-07-16
CVEList
CVE-2018-11307: An issue was discovered in FasterXML jackson-databind 22019-07-09
OSV
CVE-2018-11307: An issue was discovered in FasterXML jackson-databind 22019-07-09

📋Vendor Advisories

3
Ubuntu
Jackson Databind vulnerabilities2021-03-15
Red Hat
jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis2018-05-10
Debian
CVE-2018-11307: jackson-databind - An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use o...2018

💬Community

1
Bugzilla
CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis2019-02-14
CVE-2018-11307 — Deserialization of Untrusted Data | cvebase