Remote code execution in FasterXML jackson-databind
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-5968 CVE-2018-7489 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
jackson-databind Universal components / Libraries / Libraries used by multiple products |
| Vendor | FasterXML |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Deserialization of untrusted data
EUVDB-ID: #VU10610
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-5968
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 2.8.11.1 or 2.9.4.
jackson-databind: 2.8.0 - 2.9.3
CPE2.3- cpe:2.3:a:fasterxml:jackson-databind:2.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
https://github.com/FasterXML/jackson-databind/issues/1899
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of untrusted data
EUVDB-ID: #VU11268
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-7489
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.
The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 2.8.11.1.
Vulnerable software versionsjackson-databind: 2.0.0 - 2.9.4
CPE2.3- cpe:2.3:a:fasterxml:jackson-databind:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:*
https://github.com/FasterXML/jackson-databind/issues/1931
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
