CVE-2018-11307
published 2019-07-09CVE-2018-11307: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jackson-databind | < jackson-databind 2.9.8-1 (bookworm) | jackson-databind 2.9.8-1 (bookworm) |
| fasterxml | jackson-databind | >= 0 < 2.9.8-1 | 2.9.8-1 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-1 | 2.9.8-1 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-1 | 2.9.8-1 |
| fasterxml | jackson-databind | >= 0 < 2.9.8-1 | 2.9.8-1 |
| fasterxml | jackson-databind | >= 0 < 2.4.2-3ubuntu0.1~esm2 | 2.4.2-3ubuntu0.1~esm2 |
| fasterxml | jackson-databind | >= 2.0.0 < 2.6.7.3 | 2.6.7.3 |
| fasterxml | jackson-databind | >= 2.7.0 < 2.7.9.4 | 2.7.9.4 |
| fasterxml | jackson-databind | >= 2.8.0 < 2.8.11.2 | 2.8.11.2 |
| fasterxml | jackson-databind | >= 2.9.0 < 2.9.6 | 2.9.6 |
| oracle | clusterware | — | — |
| oracle | communications_instant_messaging_server | — | — |
| oracle | global_lifecycle_management_opatch | < 11.2.0.3.23 | 11.2.0.3.23 |
| oracle | global_lifecycle_management_opatch | >= 12.2.0.1.0 < 12.2.0.1.19 | 12.2.0.1.19 |
| oracle | global_lifecycle_management_opatch | >= 13.9.4.0.0 < 13.9.4.2.1 | 13.9.4.2.1 |
| oracle | retail_customer_management_and_segmentation_foundation | — | — |
| oracle | utilities_advanced_spatial_and_operational_analytics | — | — |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL