First published: Wed Jan 30 2019(Updated: )
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
FasterXML jackson-databind | >=2.7.0<2.7.9.4 | |
FasterXML jackson-databind | >=2.8.0<2.8.11.2 | |
FasterXML jackson-databind | >=2.9.0<2.9.6 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =29 | |
Oracle Jd Edwards Enterpriseone Tools | =9.2 | |
Oracle Retail Merchandising System | =15.0 | |
Redhat Automation Manager | =7.3.1 | |
Redhat Decision Manager | =7.3.1 | |
Redhat Jboss Brms | =6.4.10 | |
Redhat Jboss Enterprise Application Platform | =7.2.0 | |
Redhat Openshift Container Platform | =3.11 | |
Redhat Single Sign-on | =7.3 | |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.8.0<=2.8.11.1 | 2.8.11.2 |
maven/com.fasterxml.jackson.core:jackson-databind | <=2.7.9.3 | 2.7.9.4 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.6 | 2.9.6 |
IBM GDE | <=3.0.0.2 | |
debian/jackson-databind | 2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-12022 is a vulnerability in FasterXML jackson-databind that could allow a remote attacker to execute arbitrary code on the system.
The severity of CVE-2018-12022 is critical, with a CVSS score of 9.8.
CVE-2018-12022 occurs when Default Typing is enabled, the Jodd-db jar is in the classpath, and an attacker can provide an LDAP reference as a property value.
CVE-2018-12022 affects jackson-databind versions up to 2.7.9.4, 2.8.11.2, and 2.9.6.
To fix CVE-2018-12022, update jackson-databind to version 2.7.9.4, 2.8.11.2, or 2.9.6.