CVE-2018-7489
Published: 26 February 2018
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
From the Ubuntu Security Team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jackson-databind Launchpad, Ubuntu, Debian |
artful |
Released
(2.8.6-1+deb9u4build0.17.10.1)
|
| bionic |
Not vulnerable
(2.9.5-1)
|
|
| cosmic |
Not vulnerable
(2.9.5-1)
|
|
| disco |
Not vulnerable
(2.9.5-1)
|
|
| eoan |
Not vulnerable
(2.9.5-1)
|
|
| focal |
Not vulnerable
(2.9.5-1)
|
|
| groovy |
Not vulnerable
(2.9.5-1)
|
|
| hirsute |
Not vulnerable
(2.9.5-1)
|
|
| impish |
Not vulnerable
(2.9.5-1)
|
|
| jammy |
Not vulnerable
(2.9.5-1)
|
|
| trusty |
Released
(2.2.2-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(2.9.5-1)
|
|
| xenial |
Released
(2.4.2-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |