Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2018-7489

Published: 26/02/2018 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Jackson-databind

Vulnerability Summary

FasterXML jackson-databind prior to 2.7.9.3, 2.8.x prior to 2.8.11.1 and 2.9.x prior to 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fasterxml jackson-databind

debian debian linux 8.0

debian debian linux 9.0

oracle communications billing and revenue management 7.5

oracle communications billing and revenue management 12.0

oracle communications instant messaging server 10.0.1

redhat jboss enterprise application platform 6.4.19

redhat jboss enterprise application platform 7.1.2

Vendor Advisories

Debian CVElist Bug Report Logs: jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Debian Bug report logs - #891614 jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries Package: src:jackson-databind; Maintainer for src:jackson-databind is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso < ...
Debian Security Advisories: DSA-4190-1 jackson-databind -- security update
It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing because of an incomplete fix for CVE-2017-7525 For the oldstable distribution (jessie), this problem has been fixed in version 242-2+deb8u4 For the stable distribution (stretch), this problem ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform 7.1.3 security update
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 713 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71Red Hat Product Security has rated this update as having a security impact of Moderate A Co ...
Red Hat: Moderate: Red Hat OpenShift Application Runtimes Thorntail 2.2.0 security & bug fix update
Synopsis Moderate: Red Hat OpenShift Application Runtimes Thorntail 220 security & bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impactof Moderate ...
Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform security update
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security ...
Red Hat: Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update
Synopsis Critical: Red Hat FIS 20 on Fuse 630 R8 security and bug fix update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Fuse Integration ServicesRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scor ...
Red Hat: Important: OpenShift Container Platform logging-elasticsearch5-container security update
Synopsis Important: OpenShift Container Platform logging-elasticsearch5-container security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as h ...
Red Hat: Moderate: Red Hat OpenShift Application Runtimes security and bug fix update
Synopsis Moderate: Red Hat OpenShift Application Runtimes security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerab ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform security update
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security ...
Red Hat: Important: eap6-jboss-ec2-eap security update
Synopsis Important: eap6-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for jboss-ec2-eap is now available for Red Hat JBoss EnterpriseApplication Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform6420, fixes several bugs, and adds various enhancements are now available from the Red Hat Cu ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: Important: OpenShift Container Platform 4.1.18 logging-elasticsearch5 security update
Synopsis Important: OpenShift Container Platform 4118 logging-elasticsearch5 security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as havin ...
Red Hat: Important: EAP Continuous Delivery Technical Preview Release 13 security update
Synopsis Important: EAP Continuous Delivery Technical Preview Release 13 security update Type/Severity Security Advisory: Important Topic This is a security update for JBoss EAP Continuous Delivery 130Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnera ...
Red Hat: CVE-2018-7489
FasterXML jackson-databind before 2793, 28x before 28111 and 29x before 295 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffec ...

Github Repositories

https://github.com/dashpradeep99/aws-sdk-java-code

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/sdstoehr/har-reader

Library for accessing HTTP Archives (HAR) with Java

HAR reader Read HTTP Archives with Java <dependency> <groupId>desstoehr</groupId> <artifactId>har-reader</artifactId> <version>230</version> </dependency> Usage Reading HAR from File: HarReader harReader = new HarRe

https://github.com/dashpradeep99/https-github.com-aws-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/maddoudou22/repo-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/cf-testorg/aws-sdk-java-test

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Note: A version 2x of th

https://github.com/maddoudou22/test-aws-sdk-java-B

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/maddoudou22/test-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

Recent Articles

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then
The Register • Shaun Nichols in San Francisco • 16 Oct 2018

And you'll definitely want to check out the libssh flaw

Oracle has released a wide-ranging security update to address more than 300 CVE-listed vulnerabilities in its various enterprise products. The October release covers the gamut of Oracle's offerings, including its flagship Database, E-Business Suite, and Fusion Middleware packages. For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, would require th...

Read more...

References

CWE-184CWE-502https://github.com/FasterXML/jackson-databind/issues/1931http://www.securityfocus.com/bid/103203https://security.netapp.com/advisory/ntap-20180328-0001/http://www.securitytracker.com/id/1040693http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttps://www.debian.org/security/2018/dsa-4190https://access.redhat.com/errata/RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1447https://access.redhat.com/errata/RHSA-2018:1786https://access.redhat.com/errata/RHSA-2018:2090https://access.redhat.com/errata/RHSA-2018:2089https://access.redhat.com/errata/RHSA-2018:2088http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_ushttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securitytracker.com/id/1041890https://access.redhat.com/errata/RHSA-2018:2939https://access.redhat.com/errata/RHSA-2018:2938https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://access.redhat.com/errata/RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:3149https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614https://nvd.nist.govhttps://github.com/sdstoehr/har-readerhttps://www.debian.org/security/./dsa-4190
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744privilege escalationCVE-2024-30253CVE-2024-3914cross-site scriptingCVE-2024-31497CVE-2024-3400CVE-2024-32341hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook