ID CVE-2018-19362
Summary FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
References
Vulnerable Configurations
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.6.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.7.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.9:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.10:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.10:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.8.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.8.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.10:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.11:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 31-08-2020 - 14:15)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHBA-2019:0959
  • rhsa
    id RHSA-2019:0782
  • rhsa
    id RHSA-2019:0877
  • rhsa
    id RHSA-2019:1782
  • rhsa
    id RHSA-2019:1797
  • rhsa
    id RHSA-2019:1822
  • rhsa
    id RHSA-2019:1823
  • rhsa
    id RHSA-2019:2804
  • rhsa
    id RHSA-2019:2858
  • rhsa
    id RHSA-2019:3002
  • rhsa
    id RHSA-2019:3140
  • rhsa
    id RHSA-2019:3149
  • rhsa
    id RHSA-2019:3892
  • rhsa
    id RHSA-2019:4037
rpms
  • rh-maven35-jackson-databind-0:2.7.6-2.5.el7
  • rh-maven35-jackson-databind-javadoc-0:2.7.6-2.5.el7
refmap via4
bid 107985
bugtraq 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update
confirm
debian DSA-4452
misc
mlist
  • [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image
  • [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update
  • [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
  • [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12
  • [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities
  • [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html
  • [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html
  • [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities
  • [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
Last major update 31-08-2020 - 14:15
Published 02-01-2019 - 18:29
Last modified 31-08-2020 - 14:15
Back to Top