// For flags

CVE-2018-12022

jackson-databind: improper polymorphic deserialization of types from Jodd-db library

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente o para una propiedad en concreto), el servicio cuenta con el jar Jodd-db (para acceso a la base de datos del framework Jodd) en la ruta de clase; un atacante puede proporcionar un servicio LDAP para acceder y es posible hacer que el servicio ejecute una carga útil maliciosa.

A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-06-07 CVE Reserved
  • 2019-03-17 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (38)
URL Tag Source
http://www.securityfocus.com/bid/107585 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1671098 Issue Tracking
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC X_refsource_misc
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 X_refsource_misc
https://seclists.org/bugtraq/2019/May/68 Mailing List
https://security.netapp.com/advisory/ntap-20190530-0003 Third Party Advisory
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf Technical Description
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
URL Date SRC
URL Date SRC
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a 2023-11-07
https://github.com/FasterXML/jackson-databind/issues/2052 2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html 2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html 2023-11-07
URL Date SRC
https://access.redhat.com/errata/RHBA-2019:0959 2023-11-07
https://access.redhat.com/errata/RHSA-2019:0782 2023-11-07
https://access.redhat.com/errata/RHSA-2019:0877 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1106 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1107 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1108 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1140 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1782 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1797 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1822 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1823 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2804 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2858 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3002 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3140 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3149 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3892 2023-11-07
https://access.redhat.com/errata/RHSA-2019:4037 2023-11-07
https://www.debian.org/security/2019/dsa-4452 2023-11-07
https://access.redhat.com/security/cve/CVE-2018-12022 2019-12-02
https://bugzilla.redhat.com/show_bug.cgi?id=1671097 2019-12-02
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fasterxml
Search vendor "Fasterxml"
 Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
 >= 2.0.0 < 2.6.7.3
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.3"
-
Affected
Fasterxml
Search vendor "Fasterxml"
 Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
 >= 2.7.0 < 2.7.9.4
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.4"
-
Affected
Fasterxml
Search vendor "Fasterxml"
 Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
 >= 2.8.0 < 2.8.11.2
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.2"
-
Affected
Fasterxml
Search vendor "Fasterxml"
 Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
 >= 2.9.0 < 2.9.6
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.6"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Oracle
Search vendor "Oracle"
 Jd Edwards Enterpriseone Tools
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"
 9.2
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version "9.2"
-
Affected
Oracle
Search vendor "Oracle"
 Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
 15.0
Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"
-
Affected
Redhat
Search vendor "Redhat"
 Automation Manager
Search vendor "Redhat" for product "Automation Manager"
 7.3.1
Search vendor "Redhat" for product "Automation Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
 Decision Manager
Search vendor "Redhat" for product "Decision Manager"
 7.3.1
Search vendor "Redhat" for product "Decision Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Brms
Search vendor "Redhat" for product "Jboss Brms"
 6.4.10
Search vendor "Redhat" for product "Jboss Brms" and version "6.4.10"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.2.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"
-
Affected
Redhat
Search vendor "Redhat"
 Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
 3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected
Redhat
Search vendor "Redhat"
 Single Sign-on
Search vendor "Redhat" for product "Single Sign-on"
 7.3
Search vendor "Redhat" for product "Single Sign-on" and version "7.3"
-
Affected