Home > Vulnerability Database > CVE-2018-5968

Mend.io Vulnerability Database

CVE-2018-5968

Good to know:

Date: January 21, 2018

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Language: Java

Severity Score

8.1

Related Resources (21)

Url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

Url: https://security-tracker.debian.org/tracker/CVE-2018-5968

Url: https://access.redhat.com/errata/RHSA-2018:1525

Url: https://access.redhat.com/errata/RHSA-2018:0479

Url: https://security.netapp.com/advisory/ntap-20180423-0002

Url: https://access.redhat.com/errata/RHSA-2018:0478

Url: https://github.com/FasterXML/jackson-databind/issues/1899

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-5968

Url: https://access.redhat.com/errata/RHSA-2019:3149

Url: https://www.oracle.com/security-alerts/cpuoct2020.html

Url: https://www.debian.org/security/2018/dsa-4114

Url: https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605

Url: https://security.netapp.com/advisory/ntap-20180423-0002/

Url: https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381

Url: https://github.com/FasterXML/jackson-databind

Url: https://access.redhat.com/errata/RHSA-2018:0480

Url: https://access.redhat.com/errata/RHSA-2019:2858

Url: https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05

Url: https://access.redhat.com/errata/RHSA-2018:0481

Url: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d0

Url: https://www.mend.io/vulnerability-database/CVE-2018-5968

Severity Score

8.1

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Incomplete List of Disallowed Inputs

CWE-184

Top Fix

Upgrade Version

Upgrade to version com.fasterxml.jackson.core:jackson-databind:2.9.4;com.fasterxml.jackson.core:jackson-databind:2.8.11.1;com.fasterxml.jackson.core:jackson-databind:2.7.9.5

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-5968

Good to know:

Date: January 21, 2018

Language: Java

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?