CVE-2018-12023 — Deserialization of Untrusted Data

Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

How to fix CVE-2018-12023

To remediate CVE-2018-12023, upgrade the affected package to a fixed version below.

—upgrade to 2.9.8-1 or later
—upgrade to 2.7.9.4 or later

Is CVE-2018-12023 being exploited?

Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.9.8-1
>= 2.7.0, < 2.7.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (42)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12023
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-12023
PATCHgithub.com/FasterXML/jackson-databind
WEBaccess.redhat.com/errata/RHBA-2019:0959
WEB