CVE-2018-7489

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.6.0 through 2.6.7.4 FasterXML jackson-databind versions 2.7.0 through 2.7.9.2 FasterXML jackson-databind versions 2.8.0 through 2.8.11.0 FasterXML jackson-databind versions 2.9.0 through 2.9.4

Description: The issue is related to the ObjectMapper component of the FasterXML jackson-databind library, which can lead to the restoration of untrusted data structures in memory. This can be exploited by a remote attacker to bypass blacklist restrictions and execute arbitrary code using specially crafted JSON data. The vulnerability is exploitable by sending malicious JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Recommendations: For FasterXML jackson-databind versions 2.6.0 through 2.6.7.4, update to version 2.6.7.5 or later. For FasterXML jackson-databind versions 2.7.0 through 2.7.9.2, update to version 2.7.9.3 or later. For FasterXML jackson-databind versions 2.8.0 through 2.8.11.0, update to version 2.8.11.1 or later. For FasterXML jackson-databind versions 2.9.0 through 2.9.4, update to version 2.9.5 or later. As a temporary workaround, consider restricting access to the readValue method of the ObjectMapper to minimize the risk of exploitation.