Candidate: CVE-2018-7489
PublicDate: 2018-02-26 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
 https://github.com/FasterXML/jackson-databind/issues/1931
 https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Description:
 FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x
 before 2.9.5 allows unauthenticated remote code execution because of an
 incomplete fix for the CVE-2017-7525 deserialization flaw. This is
 exploitable by sending maliciously crafted JSON input to the readValue
 method of the ObjectMapper, bypassing a blacklist that is ineffective if
 the c3p0 libraries are available in the classpath.
Ubuntu-Description:
 It was discovered that Jackson Databind incorrectly handled
 deserialization. An attacker could possibly use this issue to execute
 arbitrary code.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614
Priority: high
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_jackson-databind:
upstream_jackson-databind: released (2.9.5-1)
precise/esm_jackson-databind: DNE
trusty_jackson-databind: ignored (reached end-of-life)
trusty/esm_jackson-databind: DNE (trusty was needs-triage)
xenial_jackson-databind: ignored (end of standard support, was needed)
artful_jackson-databind: released (2.8.6-1+deb9u4build0.17.10.1)
bionic_jackson-databind: not-affected (2.9.5-1)
cosmic_jackson-databind: not-affected (2.9.5-1)
disco_jackson-databind: not-affected (2.9.5-1)
eoan_jackson-databind: not-affected (2.9.5-1)
focal_jackson-databind: not-affected (2.9.5-1)
groovy_jackson-databind: not-affected (2.9.5-1)
hirsute_jackson-databind: not-affected (2.9.5-1)
impish_jackson-databind: not-affected (2.9.5-1)
jammy_jackson-databind: not-affected (2.9.5-1)
devel_jackson-databind: not-affected (2.9.5-1)