CVE-2018-12022 — jackson-databind Deserialization of Untrusted Data vulnerability

Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

How to fix CVE-2018-12022

To remediate CVE-2018-12022, upgrade the affected package to a fixed version below.

—upgrade to 2.9.8-1 or later
—upgrade to 2.7.9.4 or later

Is CVE-2018-12022 being exploited?

Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.9.8-1
from 0, < 2.7.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (42)

ADVISORYgithub.com/advisories/GHSA-cjjf-94ff-43w7
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12022
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-12022
PATCHgithub.com/FasterXML/jackson-databind
WEB