CVE-2018-7489
jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
FasterXML jackson-databind, en versiones anteriores a la 2.7.9.3, versiones 2.8.x anteriores a la 2.8.11.1 y las versiones 2.9.x anteriores a la 2.9.5, permite la ejecución remota de código sin autenticar debido a una solución incompleta para el error de deserialización CVE-2017-7525. Esto puede explotarse mediante el envío de entradas JSON maliciosamente manipuladas al método readValue de ObjectMapper, omitiendo una lista negra no efectiva si las librerías c3p0 están disponibles en la classpath.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-02-26 CVE Reserved
- 2018-02-26 CVE Published
- 2018-11-19 First Exploit
- 2024-08-05 CVE Updated
- 2024-08-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-184: Incomplete List of Disallowed Inputs
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (32)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/103203 | Third Party Advisory | |
| http://www.securitytracker.com/id/1040693 | Third Party Advisory | |
| http://www.securitytracker.com/id/1041890 | Third Party Advisory | |
| https://github.com/FasterXML/jackson-databind/issues/1931 | Third Party Advisory | |
| https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E | Mailing List | |
| https://security.netapp.com/advisory/ntap-20180328-0001 | Third Party Advisory |
|
| https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us | Third Party Advisory | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | X_refsource_misc |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/tafamace/CVE-2018-7489 | 2018-11-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | < 2.7.9.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " < 2.7.9.3" | - |
Affected
| ||||||
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.8.0 < 2.8.11.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.1" | - |
Affected
| ||||||
| Fasterxml Search vendor "Fasterxml" | Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind" | >= 2.9.0 < 2.9.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.5" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 7.5 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management" | 12.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4.19 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.19" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.2" | - |
Affected
| ||||||