Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-14718

Опубликовано: 27 июл. 2018
Источник: redhat
CVSS3: 8.1
EPSS Средний

Описание

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code.

Отчет

This vulnerability in jackson-databind involves exploiting CVE-2018-1088 against slf4j, which was fixed in Red Hat products through the errata referenced at https://access.redhat.com/security/cve/cve-2018-8088. Applications that link only slf4j versions including that fix are not vulnerable to this vulnerability. Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn't bundle slf4j-ext jar.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 7jackson-databindAffected
Red Hat JBoss Enterprise Application Platform Continuous Deliveryjackson-databindAffected
Red Hat JBoss Fuse Integration Service 2jackson-databindAffected
Red Hat JBoss Operations Network 3Core ServerNot affected
Red Hat Mobile Application Platform 4jackson-databindNot affected
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1666415jackson-databind: arbitrary code execution in slf4j-ext class

EPSS

Процентиль: 94%
0.14515
Средний

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-14718

CVSS3: 9.8
ubuntu
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

nvd логотип

CVE-2018-14718

CVSS3: 9.8
nvd
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

debian логотип

CVE-2018-14718

CVSS3: 9.8
debian
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attacke ...

github логотип

GHSA-645p-88qh-w398

CVSS3: 9.8
github
около 7 лет назад

Arbitrary Code Execution in jackson-databind

fstec логотип

BDU:2019-01372

CVSS3: 9.8
fstec
около 7 лет назад

Уязвимость библиотеки Jackson-databind, вызванная отсутствием защиты класса slf4j-ext от полиморфной десериализации, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 94%
0.14515
Средний

8.1 High

CVSS3