Skip to content

Deserialization of Untrusted Data

High severity GitHub Reviewed Published Jun 15, 2020 to the GitHub Advisory Database • Updated Mar 1, 2024

Package

maven com.fasterxml.jackson.core:jackson-databind (Maven)

Affected versions

>= 2.7.0, <= 2.7.9.3
>= 2.8.0, <= 2.8.11.1
>= 2.9.0, < 2.9.6

Patched versions

2.7.9.4
2.8.11.2
2.9.6

Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

References

Reviewed Jun 11, 2020
Published to the GitHub Advisory Database Jun 15, 2020
Last updated Mar 1, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2018-12023

GHSA ID

GHSA-6wqp-v4v6-c87c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.