CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Published date
2018-02-26T15:29Z
Last modification date
2021-03-25T01:15Z
Assigner
cve@mitre.org
Problem type
CWE-184

Impact

CVSS v3 vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NameURLSourceTags
https://github.com/FasterXML/jackson-databind/issues/1931https://github.com/FasterXML/jackson-databind/issues/1931CONFIRMThird Party Advisory
103203http://www.securityfocus.com/bid/103203BIDThird Party Advisory, VDB Entry
https://security.netapp.com/advisory/ntap-20180328-0001/https://security.netapp.com/advisory/ntap-20180328-0001/CONFIRMThird Party Advisory
1040693http://www.securitytracker.com/id/1040693SECTRACKThird Party Advisory, VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlCONFIRMPatch
DSA-4190https://www.debian.org/security/2018/dsa-4190DEBIANThird Party Advisory
RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1451REDHATThird Party Advisory
RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1450REDHATThird Party Advisory
RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1449REDHATThird Party Advisory
RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1448REDHATThird Party Advisory
RHSA-2018:1447https://access.redhat.com/errata/RHSA-2018:1447REDHATThird Party Advisory
RHSA-2018:1786https://access.redhat.com/errata/RHSA-2018:1786REDHATThird Party Advisory
RHSA-2018:2090https://access.redhat.com/errata/RHSA-2018:2090REDHATThird Party Advisory
RHSA-2018:2089https://access.redhat.com/errata/RHSA-2018:2089REDHATThird Party Advisory
RHSA-2018:2088https://access.redhat.com/errata/RHSA-2018:2088REDHATThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlCONFIRMPatch
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_ushttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_usCONFIRMThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlCONFIRMPatch
1041890http://www.securitytracker.com/id/1041890SECTRACKThird Party Advisory, VDB Entry
RHSA-2018:2939https://access.redhat.com/errata/RHSA-2018:2939REDHATThird Party Advisory
RHSA-2018:2938https://access.redhat.com/errata/RHSA-2018:2938REDHATThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlCONFIRMPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlMISCPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMISCPatch
RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2858REDHAT
RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3149REDHAT
https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlMISC
[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cveshttps://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3EMLIST