Lucene search

Veracode Vulnerability DatabaseVERACODE:12540

HistoryJan 15, 2019 - 9:18 a.m.

Remote Code Execution (RCE) Through Deserialization

2019-01-1509:18:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.571 Medium

EPSS

Percentile

97.7%

JSON

Jackson-databind is vulnerable to remote code execution (RCE) attacks. These attacks are possible during bean deserialization. Using this flaw attackers are able to execute code and commands. In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.

CPENameOperatorVersion
rh-eclipse46-jackson-databindeq2.6.3__2.2.el7
devtoolset-4-jackson-databindeq2.5.0__2.3.el7
devtoolset-4-jackson-databindeq2.5.0__2.3.el6
eap7-jboss-remotingeq4.0.22__1.Final_redhat_1.1.ep7.el6
eap7-jboss-remotingeq4.0.18__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remotingeq4.0.21__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remotingeq4.0.21__1.Final_redhat_1.1.ep7.el6
eap7-jboss-remotingeq4.0.24__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remotingeq4.0.23__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remotingeq4.0.22__1.Final_redhat_1.1.ep7.el7

Name	Operator	Version
rh-eclipse46-jackson-databind	eq	2.6.3__2.2.el7
devtoolset-4-jackson-databind	eq	2.5.0__2.3.el7
devtoolset-4-jackson-databind	eq	2.5.0__2.3.el6
eap7-jboss-remoting	eq	4.0.22__1.Final_redhat_1.1.ep7.el6
eap7-jboss-remoting	eq	4.0.18__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remoting	eq	4.0.21__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remoting	eq	4.0.21__1.Final_redhat_1.1.ep7.el6
eap7-jboss-remoting	eq	4.0.24__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remoting	eq	4.0.23__1.Final_redhat_1.1.ep7.el7
eap7-jboss-remoting	eq	4.0.22__1.Final_redhat_1.1.ep7.el7

Rows per page:

1-10 of 99901

References

www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

www.securityfocus.com/bid/99623

www.securitytracker.com/id/1039744

www.securitytracker.com/id/1039947

www.securitytracker.com/id/1040360

access.redhat.com/errata/RHSA-2017:1834

access.redhat.com/errata/RHSA-2017:1835

access.redhat.com/errata/RHSA-2017:1836

access.redhat.com/errata/RHSA-2017:1837

access.redhat.com/errata/RHSA-2017:1839

access.redhat.com/errata/RHSA-2017:1840

access.redhat.com/errata/RHSA-2017:2477

access.redhat.com/errata/RHSA-2017:2546

access.redhat.com/errata/RHSA-2017:2547

access.redhat.com/errata/RHSA-2017:2633

access.redhat.com/errata/RHSA-2017:2635

access.redhat.com/errata/RHSA-2017:2636

access.redhat.com/errata/RHSA-2017:2637

access.redhat.com/errata/RHSA-2017:2638

access.redhat.com/errata/RHSA-2017:3141

access.redhat.com/errata/RHSA-2017:3454

access.redhat.com/errata/RHSA-2017:3455

access.redhat.com/errata/RHSA-2017:3456

access.redhat.com/errata/RHSA-2017:3458

access.redhat.com/errata/RHSA-2018:0294

access.redhat.com/errata/RHSA-2018:0342

access.redhat.com/errata/RHSA-2018:1449

access.redhat.com/errata/RHSA-2018:1450

access.redhat.com/errata/RHSA-2019:0910

access.redhat.com/errata/RHSA-2019:2858

access.redhat.com/errata/RHSA-2019:3149

access.redhat.com/security/updates/classification/#important

bugzilla.redhat.com/show_bug.cgi?id=1462702

cwiki.apache.org/confluence/display/WW/S2-055

github.com/FasterXML/jackson-databind/issues/1599

github.com/FasterXML/jackson-databind/issues/1723

lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E

lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E

lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E

lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E

lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E

lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E

lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E

lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E

lists.debian.org/debian-lts-announce/2020/01/msg00037.html

lists.debian.org/debian-lts-announce/2020/08/msg00039.html

security.netapp.com/advisory/ntap-20171214-0002/

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

www.debian.org/security/2017/dsa-4004

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

0.571 Medium

EPSS

Percentile

97.7%

JSON

Related for VERACODE:12540