Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE–2018–7489 #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

debricked-staging[bot]
Copy link

CVE–2018–7489

Vulnerable dependency:     com.fasterxml.jackson.core:jackson-databind (Maven)    2.3.3

Vulnerability details

Description

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

GitHub

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

NVD

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    Red Hat Customer Portal - Access to 24x7 support and knowledge
    NVD - CVE-2018-7489
    Oracle Critical Patch Update Advisory - January 2019
    Oracle Critical Patch Update Advisory - April 2019
    Debian -- Security Information -- DSA-4190-1 jackson-databind
    Document Display | HPE Support Center
    CVE-2018-7489 Jackson JSON Library Vulnerability in NetApp Products | NetApp Product Security
    Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489) · Issue #1931 · FasterXML/jackson-databind · GitHub
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Bugtraq
    Oracle Financial Services Applications Flaws Let Remote Users Access and Modify Data and Gain Elevated Privileges on the Target System - SecurityTracker
    Oracle Database Multiple Bugs Let Remote and Local Users Deny Service and Let Remote Users Modify Data and Gain Elevated Privileges - SecurityTracker
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind · CVE-2018-7489 · GitHub Advisory Database · GitHub
    Oracle Critical Patch Update - April 2018
    Oracle Critical Patch Update Advisory - July 2019
    CPU July 2018
    Oracle Critical Patch Update - October 2018
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Oracle Critical Patch Update Advisory - October 2020
    MLIST

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants