You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVE-2018-7489 - High Severity Vulnerability
Vulnerable Libraries - jackson-databind-2.8.7.jar, jackson-databind-2.4.2.jar, jackson-databind-2.9.1.jar
jackson-databind-2.8.7.jar
General data-binding functionality for Jackson: works on core streaming API
path: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.8.7/6c3257ef458ac58a8da69a6dca3d2a15286d88c8/jackson-databind-2.8.7.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
jackson-databind-2.4.2.jar
General data-binding functionality for Jackson: works on core streaming API
path: radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.4.2/8e31266a272ad25ac4c089734d93e8d811652c1f/jackson-databind-2.4.2.jar
Library home page: http://wiki.fasterxml.com/JacksonHome
Dependency Hierarchy:
jackson-databind-2.9.1.jar
General data-binding functionality for Jackson: works on core streaming API
path: radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.1/716da1830a2043f18882fc036ec26eb32cbe5aff/jackson-databind-2.9.1.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
Vulnerability Details
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Publish Date: 2018-02-26
URL: CVE-2018-7489
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1040693
Fix Resolution: The vendor has issued a fix as part of the April 2018 Critical Patch Update.
The vendor advisory is available at:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: