CVE-2018-7489

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0800%

EPSS Percentile21.12th

PublishedFeb 26, 2018

Last ModifiedNov 21, 2024

Vulnerability Description

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Affected Platforms (CPE)

📦

Fasterxml

Jackson Databind

< 2.7.9.3

📦

Fasterxml

Jackson Databind

>= 2.8.0 and < 2.8.11.1

📦

Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.5

💻

Debian

Debian Linux

= 8.0

💻

Debian

Debian Linux

= 9.0

📦

Oracle

Communications Billing And Revenue Management

= 7.5

📦

Oracle

Communications Billing And Revenue Management

= 12.0

📦

Oracle

Communications Instant Messaging Server

= 10.0.1

📦

Redhat

Jboss Enterprise Application Platform

= 6.4.19

📦

Redhat

Jboss Enterprise Application Platform

= 7.1.2

References & Advisories

🔗 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

🔗 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

🔗 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

🔗 http://www.securityfocus.com/bid/103203

🔗 http://www.securitytracker.com/id/1040693

🔗 http://www.securitytracker.com/id/1041890

🔗 https://access.redhat.com/errata/RHSA-2018:1447

🔗 https://access.redhat.com/errata/RHSA-2018:1448

Vulnerability Description

Affected Platforms (CPE)

Jackson Databind

Jackson Databind

Jackson Databind

Debian Linux

Debian Linux

Communications Billing And Revenue Management

Communications Billing And Revenue Management

Communications Instant Messaging Server

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

References & Advisories

Related Vulnerabilities