CVE-2018-12022

CWE-502 — Deserialization of Untrusted Data11 documents8 sources

Severity

7.5HIGH

EPSS

3.0%

top 13.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Debian Debian Linux Fedoraproject Fedora +8 more

Timeline

PublishedMar 21

Latest updateMar 15

Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages11 packages

▶NVDfasterxml/jackson-databind2.0.0 — 2.6.7.3+3

▶Mavencom.fasterxml.jackson.core:jackson-databind2.8.0 — 2.8.11.2+2

▶Debianjackson-databind< 2.9.8-1+3

▶Ubuntujackson-databind< 2.4.2-3ubuntu0.1~esm2

▶NVDredhat/jboss_brms6.4.10

Also affects: Debian Linux 9.0, Fedora 29, Openshift Container Platform 3.11

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

jackson-databind vulnerabilities↗2021-03-15

▶

GHSA

jackson-databind Deserialization of Untrusted Data vulnerability↗2019-03-25

▶

OSV

jackson-databind Deserialization of Untrusted Data vulnerability↗2019-03-25

▶

OSV

CVE-2018-12022: An issue was discovered in FasterXML jackson-databind prior to 2↗2019-03-21

▶

CVEList

CVE-2018-12022: An issue was discovered in FasterXML jackson-databind prior to 2↗2019-03-17

▶

📋Vendor Advisories

Ubuntu

Jackson Databind vulnerabilities↗2021-03-15

▶

Red Hat

jackson-databind: improper polymorphic deserialization of types from Jodd-db library↗2018-05-29

▶

Debian

CVE-2018-12022: jackson-databind - An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2...↗2018

▶

💬Community

Bugzilla

CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library [fedora-all]↗2019-01-30

▶

Bugzilla

CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library↗2019-01-30

▶