An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Information
Published : 2019-03-21 09:00
Updated : 2020-10-20 15:15
NVD link : CVE-2018-12023
Mitre link : CVE-2018-12023
JSON object : View
CWE
CWE-502
Deserialization of Untrusted Data
Products Affected
fasterxml
- jackson-databind
redhat
- jboss_enterprise_application_platform
- jboss_brms
- automation_manager
- single_sign-on
- openshift_container_platform
- decision_manager
fedoraproject
- fedora
oracle
- jd_edwards_enterpriseone_tools
- retail_merchandising_system
debian
- debian_linux