PT-2019-2925 · Fasterxml+2 · Jackson-Databind+2

Published

2019-01-02

Updated

2021-03-15

CVE-2018-19361

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.8

Description The issue is related to the failure to block the openjpa class from polymorphic deserialization in the FasterXML jackson-databind library, which can be used for parsing JSON files. This could allow a remote attacker to execute arbitrary code or cause a denial of service.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.8, update to version 2.9.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of polymorphic deserialization to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2019-2262

BDU:2019-02897

CVE-2018-19361

DLA-1703-1

DSA-4452-1

GHSA-MX9V-GMH4-MGQW

OPENSUSE-SU-2024:10868-1

RHSA-2019:0782

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Jackson-Databind

PT-2019-2925 · Fasterxml+2 · Jackson-Databind+2

CVE-2018-19361

Weakness Enumeration

Related Identifiers

Affected Products

References · 119