CVE-2018-12023

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Published: Mar 21, 2019
Updated: Nov 8, 2023
CVE: CVE-2018-12023
GHSA: GHSA-6wqp-v4v6-c87c
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
fasterxml / jackson-databind	2.7.0	2.7.9.4
fasterxml / jackson-databind	2.8.0	2.8.11.2
fasterxml / jackson-databind	2.9.0	2.9.6
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	29	29.x
oracle / jd_edwards_enterpriseone_tools	9.2	9.2.x
oracle / retail_merchandising_system	15.0	15.0.x
redhat / openshift_container_platform	3.11	3.11.x
redhat / jboss_enterprise_application_platform	7.2.0	7.2.0.x
redhat / single_sign-on	7.3	7.3.x
redhat / jboss_brms	6.4.10	6.4.10.x
redhat / automation_manager	7.3.1	7.3.1.x
redhat / decision_manager	7.3.1	7.3.1.x
com.fasterxml.jackson.core / jackson-databind	2.7.0	2.7.9.4
com.fasterxml.jackson.core / jackson-databind	2.8.0	2.8.11.2
com.fasterxml.jackson.core / jackson-databind	2.9.0	2.9.6

Vulnerability Database

289,599

CVE-2018-12023