logo

Database

Insecure deserialization In jackson-databind

Description

FasterXML jackson-databind allows unauthenticated remote code execution FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-74892. NVD-2018-74893. OSV-DEBIAN-2018-74894. OSV-2018-74895. GHSA-cggj-fvv3-cqwv6. GCVE-2018-74897. SECURITY-TRACKER-CVE-2018-74898. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. access.redhat.com19. access.redhat.com20. access.redhat.com

References

1. https://github.com/tafamace/CVE-2018-74892. https://github.com/FasterXML/jackson-databind/issues/19313. https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d4. https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e65. https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc6. https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d27. https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d8. https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html9. https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html10. https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html11. https://www.oracle.com/security-alerts/cpuoct2020.html12. https://www.debian.org/security/2018/dsa-419013. https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us14. https://security.netapp.com/advisory/ntap-20180328-000115. https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E16. http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html17. http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html18. http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.