CVE-2018-19361

Published: Jan 2, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Affected (25)

Products: Fasterxml: Jackson Databind · Debian: Debian Linux · Oracle: Business Process Management Suite, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, Retail Workforce Management Software, Webcenter Portal · +1 more

Show all products

Fasterxml: Jackson Databind · Debian: Debian Linux · Oracle: Business Process Management Suite, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, Retail Workforce Management Software, Webcenter Portal · Redhat: Automation Manager, Decision Manager, Jboss Bpm Suite, Jboss Brms, Openshift Container Platform

1 product

1 product

5 products

Business Process Management Suite

Primavera P6 Enterprise Project Portfolio Management

Primavera Unifier

Retail Workforce Management Software

5 products

Openshift Container Platform

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.6.0 to 2.6.7.2
Fasterxml Jackson Databind	From 2.7.0 to 2.7.9.5
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.3
Fasterxml Jackson Databind	From 2.9.0 to 2.9.8

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

14 vulnerable

Vulnerable Software	Affected Versions
Oracle Business Process Management Suite	Version 12.1.3.0.0
Oracle Business Process Management Suite	Version 12.2.1.3.0
Oracle Primavera P6 Enterprise Project Portfolio Management	From 17.7 to 17.12
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 18.8
Oracle Primavera Unifier	From 17.7 to 17.12
Oracle Primavera Unifier	Version 16.1
Oracle Primavera Unifier	Version 16.2
Oracle Primavera Unifier	Version 18.8
Oracle Retail Workforce Management Software	Version 1.60.9.0.0
Oracle Webcenter Portal	Version 12.2.1.3.0

Configuration D

5 vulnerable

Vulnerable Software	Affected Versions
Redhat Automation Manager	Version 7.3.1
Redhat Decision Manager	Version 7.3.1
Redhat Jboss Bpm Suite	Version 6.4.11
Redhat Jboss Brms	Version 6.4.10
Redhat Openshift Container Platform	Version 3.11

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (74)

http://www.securityfocus.com/bid/107985

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHBA-2019:0959

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0877

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1797

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1822

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1823

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2804

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:2858

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3002

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3140

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3149

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:3892

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2019:4037

Source: cve@mitre.org

https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2186

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://issues.apache.org/jira/browse/TINKERPOP-2121

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://seclists.org/bugtraq/2019/May/68

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20190530-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4452

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: cve@mitre.org

http://www.securityfocus.com/bid/107985