Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC7DD07DAD80496C03ABFD0EE55F04C1759F2915C9B0A8C1F66F87E8D2110B95B
HistoryFeb 20, 2023 - 5:43 a.m.

Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to FasterXML jackson-databind

2023-02-2005:43:47
www.ibm.com
15

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.939 High

EPSS

Percentile

99.1%

JSON

Summary

IBM B2B Advanced Communications has addressed vulnerabilities in jackson-databind shipped with product.

Vulnerability Details

CVEID:CVE-2018-14719
**DESCRIPTION:**FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155138 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-14718
**DESCRIPTION:**FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155139 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-7489
**DESCRIPTION:**FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/139549 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-14721
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-8840
**DESCRIPTION:**Multiple Huawei products could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data without proper validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM B2B Advanced Communications 1.0.0.x
IBM Multi-Enterprise Integration Gateway 1.0.0.1

Remediation/Fixes

IBM strongly suggests the following remediation / fix:

**Product **

|

Version

|

Remediation

—|—|—

IBM B2B Advanced Communications

|

1.0.0.x

| Apply fix pack 1.0.0.8
IBM Multi-Enterprise Integration Gateway|

1.0.0.1

| Apply fix pack 1.0.0.8

Workarounds and Mitigations

None

Related

ibm 32
nessus 21
freebsd 2
redhat 29
github 5
debiancve 5
f5 1
githubexploit 3
veracode 5
osv 15
cve 6
prion 6
redhatcve 6
atlassian 4
ubuntucve 5
huawei 2
fedora 19
openvas 24
debian 5
attackerkb 1
checkpoint_advisories 2
ubuntu 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony
2019-06-19 17:05:01
Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerabilities
2019-10-01 19:20:25
Security Bulletin: Multiple Vulnerabilities in Jackson-Databind Affect IBM Global High Availability Mailbox
2019-05-24 15:35:01
nessus
nessus
Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU)
2019-01-18 00:00:00
FreeBSD : payara -- multiple vulnerabilities (71c71ce0-0805-11eb-a3a4-0019dbb15b3f)
2020-10-09 00:00:00
Fedora 28 : jackson-databind (2018-633acf0ed6)
2019-01-03 00:00:00
freebsd
freebsd
payara -- multiple vulnerabilities
2019-02-01 00:00:00
payara -- Default typing issue in Jackson Databind
2018-02-26 00:00:00
redhat
redhat
(RHSA-2020:2564) Important: EAP Continuous Delivery Technical Preview Release 16 security update
2020-06-15 16:12:30
(RHSA-2019:0782) Important: rh-maven35-jackson-databind security update
2019-04-17 20:45:27
(RHSA-2019:4037) Important: Red Hat Data Grid 7.3.2 security update
2019-12-02 16:21:52
github
github
Arbitrary Code Execution in jackson-databind
2019-01-04 19:06:55
Deserialization of Untrusted Data in jackson-databind
2020-03-04 20:52:14
Server-Side Request Forgery (SSRF) in jackson-databind
2019-01-04 19:07:06
debiancve
debiancve
CVE-2018-14719
2019-01-02 18:29:00
CVE-2018-14718
2019-01-02 18:29:00
CVE-2018-14721
2019-01-02 18:29:00
f5
f5
K15320518 : FasterXML jackson-databind vulnerability CVE-2020-8840
2020-03-24 00:00:00
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
2020-02-23 03:51:40
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
2020-06-05 02:05:15
Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind
2020-11-11 07:53:21
veracode
veracode
Remote Code Execution
2020-02-11 02:42:43
Remote Code Execution (RCE)
2019-01-03 02:29:19
Deserialization Of Untrusted Data
2018-12-28 04:02:56
osv
osv
CVE-2020-8840
2020-02-10 21:56:10
Arbitrary Code Execution in jackson-databind
2019-01-04 19:06:55
CVE-2018-14718
2019-01-02 18:29:00
cve
cve
CVE-2020-8840
2020-02-10 21:56:00
CVE-2018-14719
2019-01-02 18:29:00
CVE-2018-14721
2019-01-02 18:29:00
prion
prion
Deserialization of untrusted data
2019-01-02 18:29:00
Deserialization of untrusted data
2019-01-02 18:29:00
Deserialization of untrusted data
2019-01-02 18:29:00
redhatcve
redhatcve
CVE-2018-14719
2021-06-13 06:35:02
CVE-2020-8840
2021-07-18 00:41:10
CVE-2018-14721
2021-08-01 04:20:29
atlassian
atlassian
Update Application links to ensure that a version of jackson-databind containing a fix for CVE-2018-14721 is used
2019-07-09 02:47:04
Update Application links to ensure that a version of jackson-databind containing a fix for CVE-2018-14721 is used
2019-07-09 02:43:36
Update Application links to ensure that a version of jackson-databind containing a fix for CVE-2018-14721 is used
2019-07-09 02:47:04
ubuntucve
ubuntucve
CVE-2018-14721
2019-01-02 00:00:00
CVE-2020-8840
2020-02-10 00:00:00
CVE-2018-14718
2019-01-02 00:00:00
huawei
huawei
Security Advisory - fastjson Injection Vulnerability in Huawei Products
2020-07-22 00:00:00
Security Advisory - FasterXML Jackson-databind Injection Vulnerability in Huawei Products
2020-06-10 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: jackson-databind-2.9.4-3.fc28
2018-04-01 00:46:43
[SECURITY] Fedora 29 Update: jackson-dataformats-text-2.9.8-1.fc29
2019-02-19 14:03:52
[SECURITY] Fedora 29 Update: jackson-core-2.9.8-1.fc29
2019-02-19 14:03:52
openvas
openvas
Oracle Database Server 'Rapid Home Provisioning' Component Unspecified Vulnerability
2018-10-17 00:00:00
Debian: Security Advisory (DLA-1703-1)
2019-03-03 00:00:00
Fedora Update for bouncycastle FEDORA-2019-df57551f6d
2019-05-07 00:00:00
debian
debian
[SECURITY] [DLA 1703-1] jackson-databind security update
2019-03-04 12:13:19
[SECURITY] [DSA 4452-1] jackson-databind security update
2019-05-24 21:04:55
[SECURITY] [DSA 4190-1] jackson-databind security update
2018-05-03 13:56:38
attackerkb
attackerkb
CVE-2020-1938
2020-02-24 00:00:00
checkpoint_advisories
checkpoint_advisories
FasterXML jackson-databind Remote Code Execution (CVE-2020-14645; CVE-2020-24616; CVE-2020-8840)
2020-12-27 00:00:00
Apache Struts2 Jackson Library Remote Code Execution (CVE-2017-15095; CVE-2017-17485; CVE-2017-7525; CVE-2018-7489)
2017-12-05 00:00:00
ubuntu
ubuntu
Jackson Databind vulnerabilities
2021-03-15 00:00:00

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.939 High

EPSS

Percentile

99.1%

JSON
Related for C7DD07DAD80496C03ABFD0EE55F04C1759F2915C9B0A8C1F66F87E8D2110B95B
ibm32nessus21freebsd2redhat29github5debiancve5f51githubexploit3veracode5osv15cve6prion6redhatcve6atlassian4ubuntucve5huawei2fedora19openvas24debian5attackerkb1checkpoint_advisories2ubuntu1