PT-2018-2765 · Fasterxml+2 · Jackson-Databind+2

Published

2018-08-17

·

Updated

2023-09-13

·

CVE-2018-14719

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.0.0 through 2.9.6 FasterXML jackson-databind versions 2.8.0 through 2.8.11.2 FasterXML jackson-databind versions 2.7.0 through 2.7.9.4
Description The issue is caused by the lack of protection of the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization, which may allow remote attackers to execute arbitrary code.
Recommendations For FasterXML jackson-databind versions 2.0.0 through 2.9.6, update to version 2.9.7 or later. For FasterXML jackson-databind versions 2.8.0 through 2.8.11.2, update to version 2.8.11.3 or later. For FasterXML jackson-databind versions 2.7.0 through 2.7.9.4, update to version 2.7.9.5 or later. As a temporary workaround, consider disabling polymorphic deserialization of the blaze-ds-opt and blaze-ds-core classes until a patch is available.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2019-2262
BDU:2019-01757
CVE-2018-14719
DLA-1703-1
DSA-4452-1
GHSA-4GQ5-CH57-C2MG
RHSA-2019:0782
USN-4813-1

Affected Products

Alt Linux
Ubuntu
Jackson-Databind