CVE-2018-19360

HIGH

Description

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

References

http://www.securityfocus.com/bid/107985

https://access.redhat.com/errata/RHBA-2019:0959

https://access.redhat.com/errata/RHSA-2019:0782

https://access.redhat.com/errata/RHSA-2019:0877

https://access.redhat.com/errata/RHSA-2019:1782

https://access.redhat.com/errata/RHSA-2019:1797

https://access.redhat.com/errata/RHSA-2019:1822

https://access.redhat.com/errata/RHSA-2019:1823

https://access.redhat.com/errata/RHSA-2019:2804

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3002

https://access.redhat.com/errata/RHSA-2019:3140

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4037

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8

https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b

https://github.com/FasterXML/jackson-databind/issues/2186

https://issues.apache.org/jira/browse/TINKERPOP-2121

https://lists.apache.org/thread.html/[email protected]%3Cdevnull.infra.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.geode.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

https://seclists.org/bugtraq/2019/May/68

https://security.netapp.com/advisory/ntap-20190530-0003/

https://www.debian.org/security/2019/dsa-4452

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Details

Source: MITRE

Published: 2019-01-02

Updated: 2020-08-31

Type: CWE-502

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* versions from 2.6.0 to 2.6.7.2 (inclusive)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*

cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

Tenable Plugins

View all (8 total)

IDNameProductFamilySeverity
130058Oracle Database Server Multiple Vulnerabilities (Oct 2019 CPU)NessusDatabases
high
126828Oracle Primavera Gateway Multiple Vulnerabilities (Jul 2019 CPU)NessusCGI abuses
high
125416Debian DSA-4452-1 : jackson-databind - security updateNessusDebian Local Security Checks
high
124237Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2019 CPU)NessusMisc.
high
124170Oracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
high
124169Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
high
122603Debian DLA-1703-1 : jackson-databind security updateNessusDebian Local Security Checks
high
122290Fedora 29 : bouncycastle / eclipse-jgit / eclipse-linuxtools / etc (2019-df57551f6d)NessusFedora Local Security Checks
high