Vulnerability CVE-2018-19361


Published: 2019-01-02

Description:
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Debian
Product: Debian linux 
Version: 9.0; 8.0;
Vendor: Redhat
Product: Decision manager 
Version: 7.3.1;
Product: Automation manager 
Version: 7.3.1;
Product: Jboss bpm suite 
Version: 6.4.11;
Product: Jboss brms 
Version: 6.4.10;
Product: Openshift container platform 
Version: 3.11;
Vendor: Fasterxml
Product: Jackson-databind 
Version:
2.9.7
2.9.6
2.9.5
2.9.4
2.9.3
2.9.2
2.9.1
2.9.0
2.8.9
2.8.8.1
2.8.8
2.8.7
2.8.6
2.8.5
2.8.4
2.8.3
2.8.2
2.8.11.3
2.8.11.2
2.8.11.1
2.8.11
2.8.10
2.8.1
2.8.0
2.7.9.5
2.7.9.4
2.7.9.3
2.7.9.2
2.7.9.1
2.7.9
2.7.8
2.7.7
2.7.6
2.7.5
2.7.4
2.7.3
2.7.2
2.7.1-1
2.7.1
2.7.0
2.6.7.2
2.6.7.1
2.6.7
2.6.6
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.5
2.5.4
2.5.3
2.5.2
2.5.1
2.5.0
2.4.6.1
2.4.6
2.4.5.1
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1.3
2.4.1.2
2.4.1.1
2.4.1
2.4.0
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.6
2.0.5
2.0.4
2.0.2
2.0.1
2.0.0
See more versions on NVD
Vendor: Oracle
Product: Primavera unifier 
Version: 18.8;
Product: Primavera p6 enterprise project portfolio management 
Version: 18.8;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/107985
https://access.redhat.com/errata/RHBA-2019:0959
https://access.redhat.com/errata/RHSA-2019:0782
https://access.redhat.com/errata/RHSA-2019:0877
https://access.redhat.com/errata/RHSA-2019:1782
https://access.redhat.com/errata/RHSA-2019:1797
https://access.redhat.com/errata/RHSA-2019:1822
https://access.redhat.com/errata/RHSA-2019:1823
https://access.redhat.com/errata/RHSA-2019:2804
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
https://github.com/FasterXML/jackson-databind/issues/2186
https://issues.apache.org/jira/browse/TINKERPOP-2121
https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
https://seclists.org/bugtraq/2019/May/68
https://security.netapp.com/advisory/ntap-20190530-0003/
https://www.debian.org/security/2019/dsa-4452
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related CVE
CVE-2019-2879
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols...
CVE-2019-2878
Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: HTTP data path subsystems). The supported version that is affected is 8.8.3. Easily exploitable vulnerability allows unauthenticated...
CVE-2019-2877
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2876
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2875
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2874
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2873
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...
CVE-2019-2871
Vulnerability in the Data Store component of Oracle Berkeley DB. Supported versions that are affected are 12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23 and 12.1.6.2.32. Difficult to exploit vulnerability allows unauthenticated attac...

Copyright 2019, cxsecurity.com

 

Back to Top