CVE - CVE-2018-7489

CVE-ID
CVE-2018-7489	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:103203 URL:http://www.securityfocus.com/bid/103203 CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html URL:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html URL:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html URL:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM:https://github.com/FasterXML/jackson-databind/issues/1931 URL:https://github.com/FasterXML/jackson-databind/issues/1931 CONFIRM:https://security.netapp.com/advisory/ntap-20180328-0001/ URL:https://security.netapp.com/advisory/ntap-20180328-0001/ CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us URL:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us CONFIRM:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html URL:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html DEBIAN:DSA-4190 URL:https://www.debian.org/security/2018/dsa-4190 MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html URL:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html URL:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MLIST:[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves URL:https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E REDHAT:RHSA-2018:1447 URL:https://access.redhat.com/errata/RHSA-2018:1447 REDHAT:RHSA-2018:1448 URL:https://access.redhat.com/errata/RHSA-2018:1448 REDHAT:RHSA-2018:1449 URL:https://access.redhat.com/errata/RHSA-2018:1449 REDHAT:RHSA-2018:1450 URL:https://access.redhat.com/errata/RHSA-2018:1450 REDHAT:RHSA-2018:1451 URL:https://access.redhat.com/errata/RHSA-2018:1451 REDHAT:RHSA-2018:1786 URL:https://access.redhat.com/errata/RHSA-2018:1786 REDHAT:RHSA-2018:2088 URL:https://access.redhat.com/errata/RHSA-2018:2088 REDHAT:RHSA-2018:2089 URL:https://access.redhat.com/errata/RHSA-2018:2089 REDHAT:RHSA-2018:2090 URL:https://access.redhat.com/errata/RHSA-2018:2090 REDHAT:RHSA-2018:2938 URL:https://access.redhat.com/errata/RHSA-2018:2938 REDHAT:RHSA-2018:2939 URL:https://access.redhat.com/errata/RHSA-2018:2939 REDHAT:RHSA-2019:2858 URL:https://access.redhat.com/errata/RHSA-2019:2858 REDHAT:RHSA-2019:3149 URL:https://access.redhat.com/errata/RHSA-2019:3149 SECTRACK:1040693 URL:http://www.securitytracker.com/id/1040693 SECTRACK:1041890 URL:http://www.securitytracker.com/id/1041890
Assigning CNA
MITRE Corporation
Date Record Created
20180226	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20180226)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)