CVE-2018-11307

Published: Jul 9, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Affected (13)

Products: Fasterxml: Jackson Databind · Redhat: Openshift Container Platform · Oracle: Clusterware, Communications Instant Messaging Server, Global Lifecycle Management Opatch, Retail Customer Management And Segmentation Foundation, Utilities Advanced Spatial And Operational Analytics

Fasterxml

1 product

Jackson Databind

Redhat

1 product

Openshift Container Platform

Oracle

5 products

Clusterware

Communications Instant Messaging Server

Global Lifecycle Management Opatch

Retail Customer Management And Segmentation Foundation

Utilities Advanced Spatial And Operational Analytics

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.0.0 to 2.6.7.3
Fasterxml Jackson Databind	From 2.7.0 to 2.7.9.4
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.2
Fasterxml Jackson Databind	From 2.9.0 to 2.9.6

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 3.11

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 4.1

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 7.0

Configuration D

7 vulnerable

Vulnerable Software	Affected Versions
Oracle Clusterware	Version 12.1.0.2.0
Oracle Communications Instant Messaging Server	Version 10.0.1.2.0
Oracle Global Lifecycle Management Opatch	Before 11.2.0.3.23
Oracle Global Lifecycle Management Opatch	From 12.2.0.1.0 to 12.2.0.1.19
Oracle Global Lifecycle Management Opatch	From 13.9.4.0.0 to 13.9.4.2.1
Oracle Retail Customer Management And Segmentation Foundation	Version 17.0
Oracle Utilities Advanced Spatial And Operational Analytics	Version 2.7.0.1

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (42)

https://access.redhat.com/errata/RHSA-2019:0782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1822

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1823

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2804

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2858

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3002

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3140

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3149

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3892

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:4037

Source: cve@mitre.org

Third Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2032

Source: cve@mitre.org

Third Party Advisory

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Source: cve@mitre.org

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-7525

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: cve@mitre.org

PatchThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:0782