Описание
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Jodd DB connection classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.
Отчет
Red Hat Satellite 6 is not affected by this issue, since Candlepin's java runtime environment does not load Jodd classes. Red Hat Virtualization 4 is not affected by this issue, since it does not load Jodd classes.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | jackson-databind | Not affected | ||
| Red Hat JBoss A-MQ 6 | jackson-databind | Affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | jackson-databind | Not affected | ||
| Red Hat JBoss Fuse Integration Service 2 | jackson-databind | Affected | ||
| Red Hat JBoss Operations Network 3 | Core Server | Not affected | ||
| Red Hat Mobile Application Platform 4 | jackson-databind | Not affected | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | elasticsearch-cloud-kubernetes | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | openshift-elasticsearch-plugin | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | jackson-databind | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4 ...
jackson-databind Deserialization of Untrusted Data vulnerability
Уязвимость библиотеки jackson-databind, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
7.3 High
CVSS3