Vulnerability DatabaseCVE-2018-12023
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2018-12023
March 17, 2019
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Affected Packages
com.fasterxml.jackson.core:jackson-databind (JAVA):
Affected version(s) >=2.9.0 <2.9.6
Fix Suggestion:
Update to version 2.9.6
com.fasterxml.jackson.core:jackson-databind (JAVA):
Affected version(s) >=2.7.0 <2.7.9.4
Fix Suggestion:
Update to version 2.7.9.4
com.fasterxml.jackson.core:jackson-databind (JAVA):
Affected version(s) >=2.8.0 <2.8.11.2
Fix Suggestion:
Update to version 2.8.11.2
Related ResourcesĀ (47)
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:1782
https://access.redhat.com/errata/RHSA-2019:1140
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://github.com/FasterXML/jackson-databind
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
https://www.oracle.com/security-alerts/cpuoct2020.html
https://access.redhat.com/errata/RHSA-2019:4037
https://www.debian.org/security/2019/dsa-4452
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://seclists.org/bugtraq/2019/May/68
https://access.redhat.com/errata/RHSA-2019:1797
https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:1106
https://access.redhat.com/errata/RHSA-2019:1822
https://access.redhat.com/errata/RHSA-2019:1107
https://security.netapp.com/advisory/ntap-20190530-0003/
https://access.redhat.com/errata/RHSA-2019:2804
https://security.netapp.com/advisory/ntap-20190530-0003
https://access.redhat.com/errata/RHSA-2019:1108
https://access.redhat.com/errata/RHSA-2019:3140
https://access.redhat.com/errata/RHSA-2019:0877
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:1823
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
https://github.com/FasterXML/jackson-databind/issues/2058
https://www.oracle.com/security-alerts/cpuapr2020.html
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:3002
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
http://www.securityfocus.com/bid/105659
https://nvd.nist.gov/vuln/detail/CVE-2018-12023
https://www.oracle.com/security-alerts/cpujul2020.html
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:0782
https://access.redhat.com/errata/RHBA-2019:0959
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
5.1
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502
EPSS
Base Score:
4.81