An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
https://access.redhat.com/errata/RHSA-2019:0782 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1822 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1823 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2804 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2858 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3002 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3140 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3149 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3892 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4037 cve-icon cve-icon
https://github.com/FasterXML/jackson-databind/issues/2032 cve-icon cve-icon
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E cve-icon cve-icon
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-7525 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-11307 cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-11307 cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T08:01:52.866Z

Reserved: 2018-05-18T00:00:00

Link: CVE-2018-11307

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-07-09T16:15:12.807

Modified: 2024-11-21T03:43:06.380

Link: CVE-2018-11307

cve-icon Redhat

Severity : Important

Publid Date: 2018-05-10T00:00:00Z

Links: CVE-2018-11307 - Bugzilla

cve-icon OpenCVE Enrichment

No data.