Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-14719

Опубликовано: 27 июл. 2018
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code.

Отчет

The following Red Hat products are not affected by this issue as they do not bundle or provide the requisite gadget jars to exploit this vulnerability: Red Hat Satellite 6 Red Hat Enterprise Virtualization 4 Red Hat Fuse 6, 7, and Fuse Integration Services 2 Red Hat A-MQ 6

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 7jackson-databindAffected
Red Hat JBoss Enterprise Application Platform Continuous Deliveryjackson-databindAffected
Red Hat JBoss Fuse Integration Service 2jackson-databindNot affected
Red Hat JBoss Operations Network 3Core ServerNot affected
Red Hat Mobile Application Platform 4jackson-databindNot affected
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1666418jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes

EPSS

Процентиль: 87%
0.03324
Низкий

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-14719

CVSS3: 9.8
ubuntu
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

nvd логотип

CVE-2018-14719

CVSS3: 9.8
nvd
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

debian логотип

CVE-2018-14719

CVSS3: 9.8
debian
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attacke ...

github логотип

GHSA-4gq5-ch57-c2mg

CVSS3: 9.8
github
около 7 лет назад

Arbitrary Code Execution in jackson-databind

fstec логотип

BDU:2019-01757

CVSS3: 9.8
fstec
больше 7 лет назад

Уязвимость библиотеки jackson-databind, связанная с восстановленим в памяти недостоверной структуры данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 87%
0.03324
Низкий

8.1 High

CVSS3