// For flags

CVE-2018-19361

jackson-databind: improper polymorphic deserialization in openjpa class

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase openjpa de deserialización polimórfica.

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-11-19 CVE Reserved
  • 2019-01-02 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (39)
URL Tag Source
http://www.securityfocus.com/bid/107985 Third Party Advisory
https://issues.apache.org/jira/browse/TINKERPOP-2121 Issue Tracking
https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E Mailing List
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html Mailing List
https://seclists.org/bugtraq/2019/May/68 Mailing List
https://security.netapp.com/advisory/ntap-20190530-0003 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html X_refsource_misc
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.6.0 <= 2.6.7.2
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 <= 2.6.7.2"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.7.0 < 2.7.9.5
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.5"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.8.0 < 2.8.11.3
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.3"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.9.0 < 2.9.8
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.8"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.1.3.0.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.1.3.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
>= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
15.1
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "15.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
15.2
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "15.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
16.1
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
16.2
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
18.8
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
>= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.1
Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.2
Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Retail Workforce Management Software
Search vendor "Oracle" for product "Retail Workforce Management Software"
1.60.9.0.0
Search vendor "Oracle" for product "Retail Workforce Management Software" and version "1.60.9.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"
-
Affected
Redhat
Search vendor "Redhat"
Automation Manager
Search vendor "Redhat" for product "Automation Manager"
7.3.1
Search vendor "Redhat" for product "Automation Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
Decision Manager
Search vendor "Redhat" for product "Decision Manager"
7.3.1
Search vendor "Redhat" for product "Decision Manager" and version "7.3.1"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Bpm Suite
Search vendor "Redhat" for product "Jboss Bpm Suite"
6.4.11
Search vendor "Redhat" for product "Jboss Bpm Suite" and version "6.4.11"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Brms
Search vendor "Redhat" for product "Jboss Brms"
6.4.10
Search vendor "Redhat" for product "Jboss Brms" and version "6.4.10"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected