PT-2018-2770 · Jackson+2 · Jackson-Databind+2

Publicado

2018-05-29

·

Atualizado

2023-09-13

·

CVE-2018-12022

CVSS v2.0

7.6

Alta

VetorAV:N/AC:H/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions jackson-databind versions prior to 2.7.9.4 jackson-databind versions prior to 2.8.11.2 jackson-databind versions prior to 2.9.6
Description The issue is related to the restoration of untrusted data structures in memory, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. When Default Typing is enabled, the presence of the Jodd-db jar in the classpath, and an attacker-provided LDAP service, it is possible to execute a malicious payload.
Recommendations For jackson-databind versions prior to 2.7.9.4, update to version 2.7.9.4 or later. For jackson-databind versions prior to 2.8.11.2, update to version 2.8.11.2 or later. For jackson-databind versions prior to 2.9.6, update to version 2.9.6 or later.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

ALT-PU-2019-2262
BDU:2019-01766
CVE-2018-12022
DLA-1703-1
DSA-4452-1
GHSA-CJJF-94FF-43W7
GHSA-WRR7-33FX-RCVJ
OPENSUSE-SU-2024:10868-1
RHSA-2019:0782
RHSA-2019:1107
RHSA-2019:1108
USN-4813-1

Produtos afetados

Alt Linux
Ubuntu
Jackson-Databind