Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-19361

Опубликовано: 18 нояб. 2018
Источник: redhat
CVSS3: 7.3

Описание

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code.

Отчет

Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn't bundle openjpa jar. Red Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn't bundle openjpa jar. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindAffected
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 7jackson-databindAffected
Red Hat JBoss Fuse Integration Service 2jackson-databindAffected
Red Hat JBoss Operations Network 3Core ServerNot affected
Red Hat Mobile Application Platform 4jackson-databindNot affected
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesAffected
Red Hat OpenShift Container Platform 3.10openshift-elasticsearch-pluginAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1666484jackson-databind: improper polymorphic deserialization in openjpa class

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-19361

CVSS3: 9.8
ubuntu
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

nvd логотип

CVE-2018-19361

CVSS3: 9.8
nvd
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

debian логотип

CVE-2018-19361

CVSS3: 9.8
debian
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to h ...

github логотип

GHSA-mx9v-gmh4-mgqw

CVSS3: 9.8
github
около 7 лет назад

Deserialization of Untrusted Data in jackson-databind

fstec логотип

BDU:2019-02897

CVSS3: 9.8
fstec
около 7 лет назад

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

7.3 High

CVSS3