Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-12023

Опубликовано: 08 июн. 2018
Источник: redhat
CVSS3: 5.6
EPSS Низкий

Описание

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using Oracle JDBC classes when using DefaultTyping. An attacker could use this flaw to achieve remote code execution under certain circumstances.

Отчет

Red Hat Satellite 6 is not affected by this issue, since Candlepin's java runtime environment does not load Oracle's JDBC classes. Red Hat Virtualization 4 is not affected by this issue, since it does not load Oracle's JDBC classes. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindAffected
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Fuse Integration Service 2jackson-databindAffected
Red Hat JBoss Operations Network 3Core ServerNot affected
Red Hat Mobile Application Platform 4jackson-databindNot affected
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesAffected
Red Hat OpenShift Container Platform 3.10openshift-elasticsearch-pluginAffected
Red Hat OpenShift Container Platform 3.11jackson-databindNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1671096jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver

EPSS

Процентиль: 89%
0.04812
Низкий

5.6 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-12023

CVSS3: 7.5
ubuntu
почти 7 лет назад

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

nvd логотип

CVE-2018-12023

CVSS3: 7.5
nvd
почти 7 лет назад

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

debian логотип

CVE-2018-12023

CVSS3: 7.5
debian
почти 7 лет назад

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4 ...

github логотип

GHSA-6wqp-v4v6-c87c

CVSS3: 7.5
github
больше 5 лет назад

Deserialization of Untrusted Data

fstec логотип

BDU:2019-01765

CVSS3: 8.1
fstec
больше 7 лет назад

Уязвимость библиотеки jackson-databind, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 89%
0.04812
Низкий

5.6 Medium

CVSS3