CVE-2018-12022

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Published: Mar 21, 2019
Updated: Sep 14, 2023
CVE: CVE-2018-12022
GHSA: GHSA-cjjf-94ff-43w7
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
fasterxml / jackson-databind	2.7.0	2.7.9.4
fasterxml / jackson-databind	2.8.0	2.8.11.2
fasterxml / jackson-databind	2.9.0	2.9.6
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	29	29.x
oracle / jd_edwards_enterpriseone_tools	9.2	9.2.x
oracle / retail_merchandising_system	15.0	15.0.x
redhat / openshift_container_platform	3.11	3.11.x
redhat / jboss_enterprise_application_platform	7.2.0	7.2.0.x
redhat / single_sign-on	7.3	7.3.x
redhat / jboss_brms	6.4.10	6.4.10.x
redhat / automation_manager	7.3.1	7.3.1.x
redhat / decision_manager	7.3.1	7.3.1.x
com.fasterxml.jackson.core / jackson-databind	-	2.7.9.4
com.fasterxml.jackson.core / jackson-databind	2.8.0	2.8.11.2
com.fasterxml.jackson.core / jackson-databind	2.9.0	2.9.6
fasterxml / jackson-databind	2.0.0	2.6.7.3

Vulnerability Database

289,599

CVE-2018-12022