Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-19362

Опубликовано: 18 нояб. 2018
Источник: redhat
CVSS3: 7.3

Описание

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code.

Отчет

Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn't bundle jboss-common-core jar. Red Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn't bundle jboss-common-core jar.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindAffected
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform 7jackson-databindAffected
Red Hat JBoss Fuse Integration Service 2jackson-databindAffected
Red Hat JBoss Operations Network 3Core ServerNot affected
Red Hat Mobile Application Platform 4jackson-databindNot affected
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesAffected
Red Hat OpenShift Container Platform 3.10openshift-elasticsearch-pluginAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1666489jackson-databind: improper polymorphic deserialization in jboss-common-core class

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-19362

CVSS3: 9.8
ubuntu
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

nvd логотип

CVE-2018-19362

CVSS3: 9.8
nvd
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

debian логотип

CVE-2018-19362

CVSS3: 9.8
debian
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to h ...

github логотип

GHSA-c8hm-7hpq-7jhg

CVSS3: 9.8
github
около 7 лет назад

com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

fstec логотип

BDU:2019-02898

CVSS3: 9.8
fstec
около 7 лет назад

Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю оказать воздействие на целостность данных, получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании

7.3 High

CVSS3