CVE-2018-19361
jackson-databind: improper polymorphic deserialization in openjpa class
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase openjpa de deserialización polimórfica.
A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-11-19 CVE Reserved
- 2019-01-02 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (39)
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.6.0 <= 2.6.7.2 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 <= 2.6.7.2" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.7.0 < 2.7.9.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.5" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.8.0 < 2.8.11.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.3" | - |
Affected
| ||||||
Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.8 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.8" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.1.3.0.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.1.3.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 15.1 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "15.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 15.2 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "15.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 16.1 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "16.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 16.2 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "16.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 18.8 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Workforce Management Software Search vendor "Oracle" for product "Retail Workforce Management Software" | 1.60.9.0.0 Search vendor "Oracle" for product "Retail Workforce Management Software" and version "1.60.9.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal" | 12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Automation Manager Search vendor "Redhat" for product "Automation Manager" | 7.3.1 Search vendor "Redhat" for product "Automation Manager" and version "7.3.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Decision Manager Search vendor "Redhat" for product "Decision Manager" | 7.3.1 Search vendor "Redhat" for product "Decision Manager" and version "7.3.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Bpm Suite Search vendor "Redhat" for product "Jboss Bpm Suite" | 6.4.11 Search vendor "Redhat" for product "Jboss Bpm Suite" and version "6.4.11" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Brms Search vendor "Redhat" for product "Jboss Brms" | 6.4.10 Search vendor "Redhat" for product "Jboss Brms" and version "6.4.10" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
|