// For flags

CVE-2018-12022

jackson-databind: improper polymorphic deserialization of types from Jodd-db library

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente o para una propiedad en concreto), el servicio cuenta con el jar Jodd-db (para acceso a la base de datos del framework Jodd) en la ruta de clase; un atacante puede proporcionar un servicio LDAP para acceder y es posible hacer que el servicio ejecute una carga útil maliciosa.

A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-06-07 CVE Reserved
  • 2019-03-17 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-10-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (38)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.0.0 < 2.6.7.3
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.0.0 < 2.6.7.3"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.7.0 < 2.7.9.4
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.4"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.8.0 < 2.8.11.2
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.2"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.9.0 < 2.9.6
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.6"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Oracle
Search vendor "Oracle"
Jd Edwards Enterpriseone Tools
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"
9.2
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version "9.2"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
15.0
Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"
-
Affected
Redhat
Search vendor "Redhat"
Automation Manager
Search vendor "Redhat" for product "Automation Manager"
7.3.1
Search vendor "Redhat" for product "Automation Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
Decision Manager
Search vendor "Redhat" for product "Decision Manager"
7.3.1
Search vendor "Redhat" for product "Decision Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Brms
Search vendor "Redhat" for product "Jboss Brms"
6.4.10
Search vendor "Redhat" for product "Jboss Brms" and version "6.4.10"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.2.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected
Redhat
Search vendor "Redhat"
Single Sign-on
Search vendor "Redhat" for product "Single Sign-on"
7.3
Search vendor "Redhat" for product "Single Sign-on" and version "7.3"
-
Affected