CVE-2018-19361: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic…

critical9.8CVSS 3.0

AVNACLPRNUINSUCHIHAH

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Affected

31 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.8-1 (bookworm)	jackson-databind 2.9.8-1 (bookworm)
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	2.6.0 – 2.6.7.2	—
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.5	2.7.9.5
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11.3	2.8.11.3
fasterxml	jackson-databind	>= 2.9.0 < 2.9.8	2.9.8
oracle	business_process_management_suite	—	—
oracle	business_process_management_suite	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	17.7 – 17.12	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	—	—
oracle	primavera_unifier	17.7 – 17.12	—
oracle	retail_workforce_management_software	—	—

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL