CVE-2018-11307

Опубликовано: 10 мая 2018

Источник: redhat

CVSS3: 5.6

EPSS Средний

Описание

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks.

Отчет

Red Hat Satellite 6 is not affected by this issue, since Candlepin's java runtime environment does not load MyBatis classes. Red Hat Virtualization 4 is not affected by this issue, since it does not include MyBatis classes. Red Hat Fuse 6 and 7 are not directly affected by this issue, as although they do ship the vulnerable jackson-databind component, they do not enable polymorphic deserialization or default typing which are required for exploitability. Their impacts have correspondingly been reduced to Moderate. Future updates may address this flaw.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat BPM Suite 6	jackson-databind	Affected
Red Hat Enterprise Linux 8	jackson-databind	Not affected
Red Hat JBoss A-MQ 6	jackson-databind	Affected
Red Hat JBoss BRMS 6	jackson-databind	Will not fix
Red Hat JBoss Enterprise Application Platform 6	jackson-databind	Not affected
Red Hat JBoss Fuse Integration Service 2	jackson-databind	Affected
Red Hat JBoss Operations Network 3	Core Server	Not affected
Red Hat Mobile Application Platform 4	jackson-databind	Not affected
Red Hat OpenShift Application Runtimes	jackson-databind	Affected
Red Hat OpenShift Container Platform 3.10	elasticsearch-cloud-kubernetes	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-502

https://bugzilla.redhat.com/show_bug.cgi?id=1677341jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis

EPSS

Процентиль: 94%

0.12636

Средний

5.6 Medium

CVSS3

Связанные уязвимости

CVE-2018-11307

CVSS3: 9.8

ubuntu

больше 6 лет назад

CVE-2018-11307

CVSS3: 9.8

nvd

больше 6 лет назад

CVE-2018-11307

CVSS3: 9.8

debian

больше 6 лет назад

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2. ...

GHSA-qr7j-h6gg-jmgc

CVSS3: 9.8

github

больше 6 лет назад

Deserialization of Untrusted Data in jackson-databind

BDU:2019-01771

CVSS3: 8.1

fstec

больше 7 лет назад

Уязвимость библиотеки jackson-databind, связанная с недостатками механизма десериализации, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 94%

0.12636

Средний

5.6 Medium

CVSS3