CVE-2018-7489
CVE-2018-7489
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/errata/RHSA-2018:1447https://access.redhat.com/errata/RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1786https://access.redhat.com/errata/RHSA-2018:2088https://access.redhat.com/errata/RHSA-2018:2089https://access.redhat.com/errata/RHSA-2018:2090https://access.redhat.com/errata/RHSA-2018:2938https://access.redhat.com/errata/RHSA-2018:2939https://access.redhat.com/errata/RHSA-2019:2858