{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-01-21T00:00:00", "descriptions": [{"lang": "en", "value": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T21:14:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2018:0479", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"name": "RHSA-2018:0480", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"name": "DSA-4114", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4114"}, {"name": "RHSA-2018:0478", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"name": "RHSA-2019:2858", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2858"}, {"name": "RHSA-2019:3149", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3149"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20180423-0002/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/1899"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-5968", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:0479", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:1525", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"name": "RHSA-2018:0480", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"name": "DSA-4114", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4114"}, {"name": "RHSA-2018:0478", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"name": "RHSA-2019:2858", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2858"}, {"name": "RHSA-2019:3149", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3149"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"name": "https://security.netapp.com/advisory/ntap-20180423-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20180423-0002/"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/1899", "refsource": "MISC", "url": "https://github.com/FasterXML/jackson-databind/issues/1899"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:47:56.169Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:0479", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"name": "RHSA-2018:0480", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"name": "DSA-4114", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4114"}, {"name": "RHSA-2018:0478", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"name": "RHSA-2019:2858", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2858"}, {"name": "RHSA-2019:3149", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3149"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20180423-0002/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FasterXML/jackson-databind/issues/1899"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-5968", "datePublished": "2018-01-22T04:00:00", "dateReserved": "2018-01-21T00:00:00", "dateUpdated": "2024-08-05T05:47:56.169Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "7036DA13-110D-40B3-8494-E361BBF4AFCD", "versionEndExcluding": "2.6.7.3", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BBA4A48-37C7-4165-B422-652EFD99B05B", "versionEndExcluding": "2.7.9.2", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "53CC2248-EC84-4B3E-B5F3-E691C81377C0", "versionEndExcluding": "2.8.11.1", "versionStartIncluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", "matchCriteriaId": "603345A2-FA66-4B4C-9143-AE710EF6626F", "versionEndExcluding": "2.9.4", "versionStartIncluding": "2.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "7117F117-D439-45EB-BB95-397E5E52C9BB", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD1E9594-C46F-40D1-8BC2-6B16635B55C4", "versionEndIncluding": "11.60.3", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*", "matchCriteriaId": "23F148EC-6D6D-4C4F-B57C-CFBCD3D32B41", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*", "matchCriteriaId": "3BD81527-A341-42C3-9AB9-880D3DB04B08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist."}, {"lang": "es", "value": "FasterXML jackson-databind, hasta la versi\u00f3n 2.8.11 y las versiones 2.9.x hasta la 2.9.3, permite la ejecuci\u00f3n remota de c\u00f3digo sin autenticar debido a una soluci\u00f3n incompleta para los errores de deserializaci\u00f3n CVE-2017-7525 y CVE-2017-17485. Esto es explotable mediante dos gadgets diferentes que omiten una lista negra."}], "id": "CVE-2018-5968", "lastModified": "2023-09-13T14:19:04.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-22T04:29:00.327", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2858"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3149"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/FasterXML/jackson-databind/issues/1899"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20180423-0002/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4114"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:0478", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "impact": "moderate", "package": "jackson-databind", "product_name": "Red Hat JBoss EAP 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-activemq-artemis-0:1.5.5.009-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-apache-cxf-0:3.1.13-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-glassfish-jsf-0:2.2.13-6.SP5_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-hibernate-0:5.1.12-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-infinispan-0:8.2.9-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-ironjacamar-0:1.4.7-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-annotations-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-core-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-databind-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-jaxrs-providers-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-module-jaxb-annotations-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jackson-modules-java8-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jboss-logmanager-0:2.0.8-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jboss-server-migration-0:1.0.3-6.Final_redhat_6.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jbossws-cxf-0:5.1.10-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-narayana-0:5.5.31-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-picketlink-bindings-0:2.5.5-10.SP9_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-picketlink-federation-0:2.5.5-10.SP9_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-resteasy-0:3.0.25-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-undertow-0:1.4.18-4.SP2_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-undertow-jastow-0:2.0.3-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-wildfly-0:7.1.1-4.GA_redhat_2.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-wildfly-elytron-0:1.1.8-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-wildfly-http-client-0:1.0.9-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-wildfly-javadocs-0:7.1.1-3.GA_redhat_2.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-wss4j-0:2.1.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-xml-security-0:2.0.9-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "impact": "moderate", "package": "eap7-jboss-ec2-eap-0:7.1.1-3.1.GA_redhat_3.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-activemq-artemis-0:1.5.5.009-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-apache-cxf-0:3.1.13-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-glassfish-jsf-0:2.2.13-6.SP5_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-hibernate-0:5.1.12-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-infinispan-0:8.2.9-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-ironjacamar-0:1.4.7-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-annotations-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-core-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-databind-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-jaxrs-providers-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-module-jaxb-annotations-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jackson-modules-java8-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jboss-logmanager-0:2.0.8-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jboss-server-migration-0:1.0.3-6.Final_redhat_6.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jbossws-cxf-0:5.1.10-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-narayana-0:5.5.31-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-picketlink-bindings-0:2.5.5-10.SP9_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-picketlink-federation-0:2.5.5-10.SP9_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-resteasy-0:3.0.25-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-undertow-0:1.4.18-4.SP2_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-undertow-jastow-0:2.0.3-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-wildfly-0:7.1.1-4.GA_redhat_2.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-wildfly-elytron-0:1.1.8-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-wildfly-http-client-0:1.0.9-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-wildfly-javadocs-0:7.1.1-3.GA_redhat_2.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-wss4j-0:2.1.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-xml-security-0:2.0.9-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "impact": "moderate", "package": "eap7-jboss-ec2-eap-0:7.1.1-3.1.GA_redhat_3.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2019:3149", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-elasticsearch5:v3.11.153-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-10-18T00:00:00Z"}, {"advisory": "RHSA-2019:2858", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "openshift4/ose-logging-elasticsearch5:v4.1.18-201909201915", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-09-27T00:00:00Z"}, {"advisory": "RHSA-2018:1525", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "rhvm-appliance-0:4.2-20180504.0", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-05-15T00:00:00Z"}], "bugzilla": {"description": "jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)", "id": "1538332", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1538332"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.", "A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously."], "name": "CVE-2018-5968", "package_state": [{"cpe": "cpe:/a:redhat:jboss_dev_studio:10.", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "JBoss Developer Studio 10"}, {"cpe": "cpe:/a:redhat:jboss_dev_studio:8.", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "JBoss Developer Studio 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Affected", "package_name": "jackson-databind", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "impact": "moderate", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Affected", "package_name": "elasticsearch-cloud-kubernetes", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Affected", "package_name": "openshift-elasticsearch-plugin", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Affected", "package_name": "openshift-elasticsearch-plugin", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Affected", "package_name": "openshift-elasticsearch-plugin", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Affected", "package_name": "elasticsearch-cloud-kubernetes", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Affected", "package_name": "openshift-elasticsearch-plugin", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "jackson-databind", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-eclipse46-jackson-databind", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven35-jackson-databind", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "jackson-databind", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2018-01-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-5968\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-5968"], "statement": "JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \nhttps://access.redhat.com/solutions/3279231\nThis issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time:\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\nRed Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates.", "threat_severity": "Moderate", "upstream_fix": "jackson-databind 2.9.4"}