CVE-2018-12023

CWE-502 — Deserialization of Untrusted Data12 documents9 sources

Severity

7.5HIGH

EPSS

4.8%

top 10.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Debian Debian Linux Fedoraproject Fedora +8 more

Timeline

PublishedMar 21

Latest updateMar 15

Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages11 packages

▶NVDfasterxml/jackson-databind2.7.0 — 2.7.9.4+2

▶Mavencom.fasterxml.jackson.core:jackson-databind2.7.0 — 2.7.9.4+2

▶Debianjackson-databind< 2.9.8-1+3

▶Ubuntujackson-databind< 2.4.2-3ubuntu0.1~esm2

▶NVDoracle/retail_merchandising_system15.0

Also affects: Debian Linux 9.0, Fedora 29, Openshift Container Platform 3.11

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

jackson-databind vulnerabilities↗2021-03-15

▶

GHSA

Deserialization of Untrusted Data↗2020-06-15

▶

OSV

Deserialization of Untrusted Data↗2020-06-15

▶

OSV

CVE-2018-12023: An issue was discovered in FasterXML jackson-databind prior to 2↗2019-03-21

▶

CVEList

CVE-2018-12023: An issue was discovered in FasterXML jackson-databind prior to 2↗2019-03-17

▶

📋Vendor Advisories

Ubuntu

Jackson Databind vulnerabilities↗2021-03-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: Common (jackson-databind) — CVE-2018-12023↗2020-07-15

▶

Red Hat

jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver↗2018-06-08

▶

Debian

CVE-2018-12023: jackson-databind - An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2...↗2018

▶

💬Community

Bugzilla

CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver [fedora-all]↗2019-01-30

▶

Bugzilla

CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver↗2019-01-30

▶