CVE-2018-5968

FasterXML/jackson-databind
on github

Published

Severity

CVSS v3:
8.1 HIGH
CVSS v2:
6.8 MEDIUM

Description

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

References

Configurations

CPE23Version StartVersion EndExact Version
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.8.0 (including)2.8.11.1*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.9.0 (including)2.9.4*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.6.0 (including)2.6.7.3*
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.7.0 (including)2.7.9.2*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*n/an/a8.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*n/an/a9.0
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*n/an/a3.11
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*11.0.0 (including)11.60.3 (including)*
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*n/an/a-
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*2.0.0 (including)2.6.7.3*

External Links