CVE-2018-11307

CVE-2018-11307

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Published Sep 11, 2018

Issue #2032 blog.sonatype.com blog.sonatype.com

CVSS ScoreCritical

9.8

Vulnerabilities

CVE-2018-11307

Published Sep 11, 2018

Issue #2032 blog.sonatype.com blog.sonatype.com

CVSS ScoreCritical

9.8

CVE-2018-11307 Security Details

CVE ID: CVE-2018-11307
CWE: CWE-502
CVE Description: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Published: Sep 11, 2018
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 12.430%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVMVulnerable params: 0
com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.validateSubType(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;)V
JVMVulnerable params: 0
com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.validateSubType(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)V
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #2032PROJECT
blog.sonatype.comTHIRD_PARTY
blog.sonatype.comTHIRD_PARTY

CVE-2018-11307 Security Details

CVE ID: CVE-2018-11307
CWE: CWE-502
CVE Description: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Published: Sep 11, 2018
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 12.430%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVMVulnerable params: 0
com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.validateSubType(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;)V
JVMVulnerable params: 0
com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.validateSubType(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)V
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #2032PROJECT
blog.sonatype.comTHIRD_PARTY
blog.sonatype.comTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2018-11307

CVE-2018-11307 Security Details

CVE-2018-11307 Security Details