CVE-2018-19360

Current Description

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Basic Data

PublishedJanuary 02, 2019
Last ModifiedJuly 29, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-502
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score9.8
CVSS 3 - Base SeverityCRITICAL
Exploitability Score3.9
Base SeverityCRITICAL

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationFasterxmlJackson-databind********2.6.02.6.7.2
    2.3ApplicationFasterxmlJackson-databind********2.7.02.7.9.5
    2.3ApplicationFasterxmlJackson-databind********2.8.02.8.11.3
    2.3ApplicationFasterxmlJackson-databind********2.9.02.9.8
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux8.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleBusiness Process Management Suite12.1.3.0.0*******
    2.3ApplicationOracleBusiness Process Management Suite12.2.1.3.0*******
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management15.1*******
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management15.2*******
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management16.1*******
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management16.2*******
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management********17.717.12
    2.3ApplicationOraclePrimavera P6 Enterprise Project Portfolio Management18.8*******
    2.3ApplicationOraclePrimavera Unifier16.1*******
    2.3ApplicationOraclePrimavera Unifier16.2*******
    2.3ApplicationOraclePrimavera Unifier********17.717.12
    2.3ApplicationOraclePrimavera Unifier18.8*******
    2.3ApplicationOracleRetail Workforce Management Software1.60.9.0.0*******
    2.3ApplicationOracleWebcenter Portal12.2.1.3.0*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatAutomation Manager7.3.1*******
    2.3ApplicationRedhatDecision Manager7.3.1*******
    2.3ApplicationRedhatJboss Bpm Suite6.4.11*******
    2.3ApplicationRedhatJboss Brms6.4.10*******
    2.3ApplicationRedhatOpenshift Container Platform3.11*******

Vulnerable Software List

VendorProductVersions
Fasterxml Jackson-databind *
Debian Debian Linux 8.0
Redhat Jboss Brms 6.4.10
Redhat Automation Manager 7.3.1
Redhat Jboss Bpm Suite 6.4.11
Redhat Decision Manager 7.3.1
Redhat Openshift Container Platform 3.11
Oracle Webcenter Portal 12.2.1.3.0
Oracle Primavera Unifier *, 16.1, 16.2, 18.8
Oracle Primavera P6 Enterprise Project Portfolio Management *, 15.1, 15.2, 16.1, 16.2, 18.8
Oracle Retail Workforce Management Software 1.60.9.0.0
Oracle Business Process Management Suite 12.1.3.0.0, 12.2.1.3.0

References

NameSourceURLTags
107985http://www.securityfocus.com/bid/107985BIDThird Party Advisory VDB Entry
RHBA-2019:0959https://access.redhat.com/errata/RHBA-2019:0959REDHATThird Party Advisory
RHSA-2019:0782https://access.redhat.com/errata/RHSA-2019:0782REDHATThird Party Advisory
RHSA-2019:0877https://access.redhat.com/errata/RHSA-2019:0877REDHATThird Party Advisory
RHSA-2019:1782https://access.redhat.com/errata/RHSA-2019:1782REDHATThird Party Advisory
RHSA-2019:1797https://access.redhat.com/errata/RHSA-2019:1797REDHATThird Party Advisory
RHSA-2019:1822https://access.redhat.com/errata/RHSA-2019:1822REDHATThird Party Advisory
RHSA-2019:1823https://access.redhat.com/errata/RHSA-2019:1823REDHATThird Party Advisory
RHSA-2019:2804https://access.redhat.com/errata/RHSA-2019:2804REDHAT
RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2858REDHAT
RHSA-2019:3002https://access.redhat.com/errata/RHSA-2019:3002REDHAT
RHSA-2019:3140https://access.redhat.com/errata/RHSA-2019:3140REDHAT
RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3149REDHAT
RHSA-2019:3892https://access.redhat.com/errata/RHSA-2019:3892REDHAT
RHSA-2019:4037https://access.redhat.com/errata/RHSA-2019:4037REDHAT
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8CONFIRMPatch Release Notes Third Party Advisory
https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bCONFIRMPatch Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2186https://github.com/FasterXML/jackson-databind/issues/2186CONFIRMIssue Tracking Patch Third Party Advisory
https://issues.apache.org/jira/browse/TINKERPOP-2121https://issues.apache.org/jira/browse/TINKERPOP-2121CONFIRMIssue Tracking Third Party Advisory
[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilitieshttps://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3CdevMLISTMailing List Patch Third Party Advisory
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitieshttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3CdevMLIST
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitieshttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3CdevMLIST
[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlhttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3CcomMLIST
[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilitieshttps://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3CcomMLISTMailing List Patch Third Party Advisory
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitieshttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3CissMLIST
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3CcomMLISTThird Party Advisory
[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 imagehttps://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3CisMLIST
[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.htmlhttps://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3CcoMLIST
[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security updatehttps://lists.debian.org/debian-lts-announce/2019/03/msg00005.htmlMLISTMailing List Third Party Advisory
20190527 [SECURITY] [DSA 4452-1] jackson-databind security updatehttps://seclists.org/bugtraq/2019/May/68BUGTRAQMailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/CONFIRMThird Party Advisory
DSA-4452https://www.debian.org/security/2019/dsa-4452DEBIANThird Party Advisory
N/Ahttps://www.oracle.com/security-alerts/cpuapr2020.htmlN/A
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlMISCPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMISCPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMISC