Lucene search

[email protected]CVE-2018-12023

HistoryMar 21, 2019 - 4:00 p.m.

CVE-2018-12023

2019-03-2116:00:00

CWE-502

[email protected]

web.nvd.nist.gov

cve-2018-12023

jackson-databind

remote code execution

ldap

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.4%

JSON

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

CPENameOperatorVersion
fasterxml:jackson-databindfasterxml jackson-databindlt2.7.9.4
fasterxml:jackson-databindfasterxml jackson-databindlt2.8.11.2
fasterxml:jackson-databindfasterxml jackson-databindlt2.9.6
debian:debian_linuxdebian debian linuxeq9.0
fedoraproject:fedorafedoraproject fedoraeq29
oracle:jd_edwards_enterpriseone_toolsoracle jd edwards enterpriseone toolseq9.2
oracle:retail_merchandising_systemoracle retail merchandising systemeq15.0
redhat:openshift_container_platformredhat openshift container platformeq3.11
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq7.2.0
redhat:single_sign-onredhat single sign-oneq7.3

CPE	Name	Operator	Version
fasterxml:jackson-databind	fasterxml jackson-databind	lt	2.7.9.4
fasterxml:jackson-databind	fasterxml jackson-databind	lt	2.8.11.2
fasterxml:jackson-databind	fasterxml jackson-databind	lt	2.9.6
debian:debian_linux	debian debian linux	eq	9.0
fedoraproject:fedora	fedoraproject fedora	eq	29
oracle:jd_edwards_enterpriseone_tools	oracle jd edwards enterpriseone tools	eq	9.2
oracle:retail_merchandising_system	oracle retail merchandising system	eq	15.0
redhat:openshift_container_platform	redhat openshift container platform	eq	3.11
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	7.2.0
redhat:single_sign-on	redhat single sign-on	eq	7.3

Rows per page:

1-10 of 131

References

www.securityfocus.com/bid/105659

access.redhat.com/errata/RHBA-2019:0959

access.redhat.com/errata/RHSA-2019:0782

access.redhat.com/errata/RHSA-2019:0877

access.redhat.com/errata/RHSA-2019:1106

access.redhat.com/errata/RHSA-2019:1107

access.redhat.com/errata/RHSA-2019:1108

access.redhat.com/errata/RHSA-2019:1140

access.redhat.com/errata/RHSA-2019:1782

access.redhat.com/errata/RHSA-2019:1797

access.redhat.com/errata/RHSA-2019:1822

access.redhat.com/errata/RHSA-2019:1823

access.redhat.com/errata/RHSA-2019:2804

access.redhat.com/errata/RHSA-2019:2858

access.redhat.com/errata/RHSA-2019:3002

access.redhat.com/errata/RHSA-2019:3140

access.redhat.com/errata/RHSA-2019:3149

access.redhat.com/errata/RHSA-2019:3892

access.redhat.com/errata/RHSA-2019:4037

github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a

github.com/FasterXML/jackson-databind/issues/2058

lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E

lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/

seclists.org/bugtraq/2019/May/68

security.netapp.com/advisory/ntap-20190530-0003/

www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

www.debian.org/security/2019/dsa-4452

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.4%

JSON

Related for CVE-2018-12023

debiancve1 osv5 redhatcve1 veracode1 github1 ubuntucve1 prion1 nessus8 ibm13 redhat17 debian2 openvas20 fedora18 ubuntu1 hp1 oracle7