Lucene search
Redhat.comRH:CVE-2018-7489HistoryDec 06, 2020 - 11:49 a.m.
CVE-2018-7489
2020-12-0611:49:47
redhat.com
access.redhat.com
51
0.939 High
EPSS
Percentile
99.2%
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Mitigation
Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:
<https://access.redhat.com/solutions/3279231>
<https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization>
General Mitigation:
Try to avoid
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`
Related
osv
osv
FasterXML jackson-databind allows unauthenticated remote code execution
2018-10-16 17:45:18
CVE-2018-7489
2018-02-26 15:29:00
jackson-databind - security update
2018-05-03 00:00:00
nvd
nvd
cvelist
cvelist
debian
debian
[SECURITY] [DSA 4190-1] jackson-databind security update
2018-05-03 13:56:38
[SECURITY] [DSA 4190-1] jackson-databind security update
2018-05-03 13:56:38
[SECURITY] [DSA 4004-1] jackson-databind security update
2017-10-20 05:52:40
openvas
openvas
Debian: Security Advisory (DSA-4190-1)
2018-05-02 00:00:00
Oracle Database Server 'Rapid Home Provisioning' Component Unspecified Vulnerability
2018-10-17 00:00:00
Mageia: Security Advisory (MGASA-2017-0255)
2022-01-28 00:00:00
debiancve
debiancve
prion
prion
Design/Logic Flaw
2018-02-26 15:29:00
Deserialization of untrusted data
2018-02-06 15:29:00
Design/Logic Flaw
2018-01-10 18:29:00
redhat
redhat
nessus
nessus
Debian DSA-4190-1 : jackson-databind - security update
2018-05-04 00:00:00
FreeBSD : payara -- Default typing issue in Jackson Databind (93f8e0ff-f33d-11e8-be46-0019dbb15b3f)
2018-11-29 00:00:00
RHEL 7 : Red Hat JBoss Enterprise Application Platform (RHSA-2018:2089)
2018-06-29 00:00:00
ubuntucve
ubuntucve
freebsd
freebsd
payara -- Default typing issue in Jackson Databind
2018-02-26 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2018-02-27 02:43:42
Remote Code Execution (RCE) Through Deserialization
2019-01-15 09:18:21
Remote Code Execution (RCE) Through Deserialization
2017-04-19 05:40:17
github
github
cve
cve
checkpoint_advisories
checkpoint_advisories
ibm
ibm
fedora
fedora
[SECURITY] Fedora 28 Update: jackson-databind-2.9.4-3.fc28
2018-04-01 00:46:43
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-3.fc26
2017-08-12 18:26:51
[SECURITY] Fedora 24 Update: jackson-databind-2.6.3-3.fc24
2017-07-31 19:19:46
seebug
seebug
Apache Struts2 S2-055(CVE-2017-7525)
2017-12-01 00:00:00
Jackson enableDefaultTyping method of deserialization code execution vulnerability(CVE-2017-7525)
2017-04-17 00:00:00
Jackson-databind θΏη¨δ»£η ζ§θ‘ζΌζ΄(CVE-2017-17485)
2018-01-11 00:00:00
huawei
huawei
redhatcve
redhatcve
zdt
zdt
Apache Struts2 S2-055 DoS Vulnerability
2017-12-02 00:00:00
f5
f5
K65417229 : Apache Struts vulnerability CVE-2017-7525
2017-12-05 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerability
2017-08-12 01:24:19
Updated jackson-databind packages fix security vulnerability
2017-11-16 10:39:32
ubuntu
ubuntu
Jackson vulnerabilities
2021-02-18 00:00:00