FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html cve-icon cve-icon
http://www.securityfocus.com/bid/103203 cve-icon cve-icon
http://www.securitytracker.com/id/1040693 cve-icon cve-icon
http://www.securitytracker.com/id/1041890 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1447 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1448 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1449 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1450 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1451 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1786 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2088 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2089 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2090 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2938 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2939 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2858 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3149 cve-icon cve-icon
https://access.redhat.com/solutions/3442891 cve-icon
https://github.com/FasterXML/jackson-databind/issues/1931 cve-icon cve-icon
https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-7489 cve-icon
https://security.netapp.com/advisory/ntap-20180328-0001/ cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-7489 cve-icon
https://www.debian.org/security/2018/dsa-4190 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

Fri, 23 Aug 2024 05:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T06:31:03.738Z

Reserved: 2018-02-26T00:00:00

Link: CVE-2018-7489

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-02-26T15:29:00.417

Modified: 2024-11-21T04:12:13.653

Link: CVE-2018-7489

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-02-26T00:00:00Z

Links: CVE-2018-7489 - Bugzilla

cve-icon OpenCVE Enrichment

No data.