GitHub Advisory DatabaseGHSA-6WQP-V4V6-C87CDeserialization of Untrusted Data
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References
www.securityfocus.com/bid/105659
access.redhat.com/errata/RHBA-2019:0959
access.redhat.com/errata/RHSA-2019:0782
access.redhat.com/errata/RHSA-2019:0877
access.redhat.com/errata/RHSA-2019:1106
access.redhat.com/errata/RHSA-2019:1107
access.redhat.com/errata/RHSA-2019:1108
access.redhat.com/errata/RHSA-2019:1140
access.redhat.com/errata/RHSA-2019:1782
access.redhat.com/errata/RHSA-2019:1797
access.redhat.com/errata/RHSA-2019:1822
access.redhat.com/errata/RHSA-2019:1823
access.redhat.com/errata/RHSA-2019:2804
access.redhat.com/errata/RHSA-2019:2858
access.redhat.com/errata/RHSA-2019:3002
access.redhat.com/errata/RHSA-2019:3140
access.redhat.com/errata/RHSA-2019:3149
access.redhat.com/errata/RHSA-2019:3892
access.redhat.com/errata/RHSA-2019:4037
github.com/advisories/GHSA-6wqp-v4v6-c87c
github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a
github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84
github.com/FasterXML/jackson-databind/issues/2058
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
lists.fedoraproject.org/archives/list/[email protected]/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC
nvd.nist.gov/vuln/detail/CVE-2018-12023
seclists.org/bugtraq/2019/May/68
security.netapp.com/advisory/ntap-20190530-0003
www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
www.debian.org/security/2019/dsa-4452
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%