PT-2018-2770 · Jackson+2 · Jackson-Databind+2
Published
2018-05-29
·
Updated
2023-09-13
·
CVE-2018-12022
CVSS v2.0
7.6
High
| Vector | AV:N/AC:H/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
jackson-databind versions prior to 2.7.9.4
jackson-databind versions prior to 2.8.11.2
jackson-databind versions prior to 2.9.6
Description
The issue is related to the restoration of untrusted data structures in memory, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. When Default Typing is enabled, the presence of the Jodd-db jar in the classpath, and an attacker-provided LDAP service, it is possible to execute a malicious payload.
Recommendations
For jackson-databind versions prior to 2.7.9.4, update to version 2.7.9.4 or later.
For jackson-databind versions prior to 2.8.11.2, update to version 2.8.11.2 or later.
For jackson-databind versions prior to 2.9.6, update to version 2.9.6 or later.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Ubuntu
Jackson-Databind