Home

CVE-2018-7489

Description

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
36.207

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.2Windows
Multiple vulnerabilities are fixed in Jackson-databind 2.6.7.5Windows
Vulnerabilities CVE-2018-5968,CVE-2018-7489 are fixed in Jackson-databind 2.8.11.1Windows
Vulnerabilities CVE-2018-7489 are fixed in Jackson-databind 2.9.5Windows
Vulnerabilities CVE-2018-7489 are fixed in Jackson-databind 2.7.9.3Windows
Vulnerabilities CVE-2017-17485,CVE-2018-7489 are affected in Red Hat JBoss Enterprise Application Platform 7 6.4.19Windows
Vulnerabilities CVE-2018-7489 are affected in Red Hat JBoss Enterprise Application Platform 7 7.1.2Windows
Multiple Vulnerabilities are affected in IBM Aspera Shares 1.10.1Windows
Multiple vulnerabilities are fixed in Jackson-databind for Linux 2.6.7.5Linux
Vulnerabilities CVE-2018-5968,CVE-2018-7489 are fixed in Jackson-databind for Linux 2.8.11.1Linux
Vulnerabilities CVE-2018-7489 are fixed in Jackson-databind for Linux 2.9.5Linux
Vulnerabilities CVE-2018-7489 are fixed in Jackson-databind for Linux 2.7.9.3Linux
Incomplete List of Disallowed Inputs Vulnerability (CVE-2018-7489)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234