Main Vulnerability Database Vulnerabilities #VU19942

Deserialization of Untrusted Data in jackson-databind - CVE-2018-12022

Published: August 6, 2019

Vulnerability identifier: #VU19942

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-12022

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FasterXML

Affected software:
jackson-databind

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Jodd-db jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2018-12022

Install updates from vendor's website.

Deserialization of Untrusted Data in jackson-databind - CVE-2018-12022

Detailed vulnerability description

How to mitigate CVE-2018-12022

Sources

Please verify you're human