CVE-2018-12023

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions prior to 2.7.9.4 FasterXML jackson-databind versions prior to 2.8.11.2 FasterXML jackson-databind versions prior to 2.9.6

Description An issue in FasterXML jackson-databind allows for the execution of a malicious payload when Default Typing is enabled and an attacker can provide an LDAP service to access. The vulnerability is related to the deserialization of untrusted data, which can lead to remote code execution. This can impact the confidentiality, integrity, and availability of protected information.

Recommendations For versions prior to 2.7.9.4, update to version 2.7.9.4 or later. For versions prior to 2.8.11.2, update to version 2.8.11.2 or later. For versions prior to 2.9.6, update to version 2.9.6 or later. As a temporary workaround, consider disabling Default Typing until a patch is available. Restrict access to the Oracle JDBC jar in the classpath to minimize the risk of exploitation.