CVE-2018-11307

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH

Description

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.5*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.7.9.4*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.2*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.6.0 (including)2.6.7.3*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*n/an/a3.11
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*n/an/a17.0
cpe:2.3:a:oracle:clusterware:12.1.0.2.0:*:*:*:*:*:*:*n/an/a12.1.0.2.0
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*n/a11.2.0.3.23*
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*12.2.0.1.0 (including)12.2.0.1.19*
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*13.9.4.0.0 (including)13.9.4.2.1*
cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*n/an/a2.7.0.1
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.2.0:*:*:*:*:*:*:*n/an/a10.0.1.2.0
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.0.0 (including)2.6.7.3*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.6*

External Links