How does CVE-2018-19362 impact the affected software?

CVE-2018-19362 might allow attackers to have unspecified impact on the affected software by leveraging the failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind.

Is there a specific version of jackson-databind affected by CVE-2018-19362?

Yes, the affected versions of jackson-databind are 2.7.9.5, 2.8.11.3, and versions prior to 2.9.8.

What is the severity of CVE-2018-19362?

CVE-2018-19362 has a severity level of 5.3 (high).

How do I fix CVE-2018-19362?

To fix CVE-2018-19362, update your installation of FasterXML jackson-databind to version 2.9.8 or higher.

Vulnerability/
CVE-2018-19362

critical

9.8

CWE

502

2/1/2019

4/1/2019

5/8/2024

CVE-2018-19362

Q: What is CVE-2018-19362?

CVE-2018-19362 is an unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind before version 2.9.8.

First published: Wed Jan 02 2019(Updated: )

FasterXML jackson-databind 2.x before 2.9.8 fails to block the jboss-common-core class from polymorphic deserialization. References: <a href="https://github.com/FasterXML/jackson-databind/issues/2186">https://github.com/FasterXML/jackson-databind/issues/2186</a> <a href="https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8">https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</a> Upstream Patch: <a href="https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b">https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</a>

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
debian/jackson-databind		2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1
FasterXML jackson-databind	>=2.6.0<=2.6.7.2
FasterXML jackson-databind	>=2.7.0<2.7.9.5
FasterXML jackson-databind	>=2.8.0<2.8.11.3
FasterXML jackson-databind	>=2.9.0<2.9.8
Debian Debian Linux	=8.0
Oracle Business Process Management Suite	=12.1.3.0.0
Oracle Business Process Management Suite	=12.2.1.3.0
Oracle Primavera P6 Enterprise Project Portfolio Management	>=17.7<=17.12
Oracle Primavera P6 Enterprise Project Portfolio Management	=15.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=15.2
Oracle Primavera P6 Enterprise Project Portfolio Management	=16.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=16.2
Oracle Primavera P6 Enterprise Project Portfolio Management	=18.8
Oracle Primavera Unifier	>=17.7<=17.12
Oracle Primavera Unifier	=16.1
Oracle Primavera Unifier	=16.2
Oracle Primavera Unifier	=18.8
Oracle Retail Workforce Management Software	=1.60.9.0.0
Oracle WebCenter Portal	=12.2.1.3.0
Redhat Automation Manager	=7.3.1
Redhat Decision Manager	=7.3.1
Redhat Jboss Bpm Suite	=6.4.11
Redhat Jboss Brms	=6.4.10
Redhat Openshift Container Platform	=3.11
redhat/jackson-databind	<2.9.8	2.9.8
redhat/jackson-databind	<2.7.9.5	2.7.9.5
redhat/jackson-databind	<2.8.11.3	2.8.11.3
maven/com.fasterxml.jackson.core:jackson-databind	>=2.0.0<2.6.7.3	2.6.7.3
maven/com.fasterxml.jackson.core:jackson-databind	>=2.7.0<=2.7.9.4	2.7.9.5
maven/com.fasterxml.jackson.core:jackson-databind	>=2.8.0<=2.8.11.2	2.8.11.3
maven/com.fasterxml.jackson.core:jackson-databind	>=2.9.0<2.9.8	2.9.8
IBM CLM	<=6.0.6.1
IBM CLM	<=6.0.6
IBM CLM	<=6.0.2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-6320835

Frequently Asked Questions

What is CVE-2018-19362?
CVE-2018-19362 is an unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind before version 2.9.8.
How does CVE-2018-19362 impact the affected software?
CVE-2018-19362 might allow attackers to have unspecified impact on the affected software by leveraging the failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind.
Is there a specific version of jackson-databind affected by CVE-2018-19362?
Yes, the affected versions of jackson-databind are 2.7.9.5, 2.8.11.3, and versions prior to 2.9.8.
What is the severity of CVE-2018-19362?
CVE-2018-19362 has a severity level of 5.3 (high).
How do I fix CVE-2018-19362?
To fix CVE-2018-19362, update your installation of FasterXML jackson-databind to version 2.9.8 or higher.

collector/security-tracker-debian
collector/nvd-index
agent/type
agent/first-publish-date
agent/weakness
agent/remedy
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-19362
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-c8hm-7hpq-7jhg
agent/severity
agent/last-modified-date
agent/event
collector/nvd-cve
source/NVD
agent/author
collector/github-advisory
agent/softwarecombine
agent/description
collector/ibm-support
source/IBM
agent/references
agent/tags
collector/mitre-cve
source/MITRE
package-manager/debian
vendor/fasterxml
canonical/fasterxml jackson-databind
version/fasterxml jackson-databind/2.6.0
version/fasterxml jackson-databind/2.6.7.2
version/fasterxml jackson-databind/2.7.0
version/fasterxml jackson-databind/2.8.0
version/fasterxml jackson-databind/2.9.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
vendor/oracle
canonical/oracle business process management suite
version/oracle business process management suite/12.1.3.0.0
version/oracle business process management suite/12.2.1.3.0
canonical/oracle primavera p6 enterprise project portfolio management
version/oracle primavera p6 enterprise project portfolio management/17.7
version/oracle primavera p6 enterprise project portfolio management/17.12
version/oracle primavera p6 enterprise project portfolio management/15.1
version/oracle primavera p6 enterprise project portfolio management/15.2
version/oracle primavera p6 enterprise project portfolio management/16.1
version/oracle primavera p6 enterprise project portfolio management/16.2
version/oracle primavera p6 enterprise project portfolio management/18.8
canonical/oracle primavera unifier
version/oracle primavera unifier/17.7
version/oracle primavera unifier/17.12
version/oracle primavera unifier/16.1
version/oracle primavera unifier/16.2
version/oracle primavera unifier/18.8
canonical/oracle retail workforce management software
version/oracle retail workforce management software/1.60.9.0.0
canonical/oracle webcenter portal
version/oracle webcenter portal/12.2.1.3.0
vendor/redhat
canonical/redhat automation manager
version/redhat automation manager/7.3.1
canonical/redhat decision manager
version/redhat decision manager/7.3.1
canonical/redhat jboss bpm suite
version/redhat jboss bpm suite/6.4.11
canonical/redhat jboss brms
version/redhat jboss brms/6.4.10
canonical/redhat openshift container platform
version/redhat openshift container platform/3.11
package-manager/redhat
package-manager/maven
vendor/ibm
canonical/ibm gde
version/ibm gde/3.0.0.2

CVE-2018-19362

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is CVE-2018-19362?

How does CVE-2018-19362 impact the affected software?

Is there a specific version of jackson-databind affected by CVE-2018-19362?

What is the severity of CVE-2018-19362?

How do I fix CVE-2018-19362?

Company

Resources

Contact