FasterXML jackson-databind allows unauthenticated remote code execution

🗓️ 16 Oct 2018 17:45:18Reported by GitHub Advisory DatabaseType

github

github🔗 github.com👁 70 Views

FasterXML jackson-databind unauthenticated remote code executio

Reporter	Title	Published	Views	Family All 128
IBM Security Bulletins	Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020	1 Mar 202212:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies	18 Dec 202115:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities	6 Oct 202112:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jackson databind	2 Jun 202123:46	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.	6 Jan 202321:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	13 Aug 202122:15	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)	12 Jan 202114:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities	18 Feb 202220:23	–	ibm
IBM Security Bulletins	Security Bulletin: z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages	10 Oct 202222:34	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)	3 Jan 202315:55	–	ibm

Vulners

Node

com.fasterxml.jackson.core jackson-databindRange<2.6.7.5maven

OR

com.fasterxml.jackson.core jackson-databindRange2.7.0–2.7.9.3maven

OR

com.fasterxml.jackson.core jackson-databindRange2.8.0–2.8.11.0maven

OR

com.fasterxml.jackson.core jackson-databindRange2.9.0–2.9.5maven

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2018-7489
github	www.github.com/FasterXML/jackson-databind/issues/1931
access	www.access.redhat.com/errata/RHSA-2018:1447
access	www.access.redhat.com/errata/RHSA-2018:1448
access	www.access.redhat.com/errata/RHSA-2018:1449
access	www.access.redhat.com/errata/RHSA-2018:1450
access	www.access.redhat.com/errata/RHSA-2018:1451
access	www.access.redhat.com/errata/RHSA-2018:1786
access	www.access.redhat.com/errata/RHSA-2018:2088
access	www.access.redhat.com/errata/RHSA-2018:2089

15 Mar 2024 01:08Current

9.3High risk

Vulners AI Score9.3

CVSS 27.5

CVSS 39.8

EPSS0.36207

CWE-184 CWE-502

fasterxml jackson-databind unauthenticated remote code execution incomplete fix cve-2017-7525 deserialization flaw objectmapper blacklist c3p0 libraries json input.