CVE-2018-5968

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Published : 2018-01-22 04:29 Updated : 2019-09-27 03:15

5.1
CVSS Score More info
Score 5.1 / 10
5.1
Vendor Product Version URI
Fasterxml Jackson-databind 2.0.0 cpe:/a:fasterxml:jackson-databind:2.0.0
Fasterxml Jackson-databind 2.0.0 cpe:/a:fasterxml:jackson-databind:2.0.0:-
Fasterxml Jackson-databind 2.0.0 cpe:/a:fasterxml:jackson-databind:2.0.0:rc1
Fasterxml Jackson-databind 2.0.0 cpe:/a:fasterxml:jackson-databind:2.0.0:rc2
Fasterxml Jackson-databind 2.0.0 cpe:/a:fasterxml:jackson-databind:2.0.0:rc3
Fasterxml Jackson-databind 2.0.1 cpe:/a:fasterxml:jackson-databind:2.0.1
Fasterxml Jackson-databind 2.0.2 cpe:/a:fasterxml:jackson-databind:2.0.2
Fasterxml Jackson-databind 2.0.4 cpe:/a:fasterxml:jackson-databind:2.0.4
Fasterxml Jackson-databind 2.0.5 cpe:/a:fasterxml:jackson-databind:2.0.5
Fasterxml Jackson-databind 2.0.6 cpe:/a:fasterxml:jackson-databind:2.0.6
Fasterxml Jackson-databind 2.1.0 cpe:/a:fasterxml:jackson-databind:2.1.0
Fasterxml Jackson-databind 2.1.1 cpe:/a:fasterxml:jackson-databind:2.1.1
Fasterxml Jackson-databind 2.1.2 cpe:/a:fasterxml:jackson-databind:2.1.2
Fasterxml Jackson-databind 2.1.3 cpe:/a:fasterxml:jackson-databind:2.1.3
Fasterxml Jackson-databind 2.1.4 cpe:/a:fasterxml:jackson-databind:2.1.4
Fasterxml Jackson-databind 2.1.5 cpe:/a:fasterxml:jackson-databind:2.1.5
Fasterxml Jackson-databind 2.2.0 cpe:/a:fasterxml:jackson-databind:2.2.0
Fasterxml Jackson-databind 2.2.0 cpe:/a:fasterxml:jackson-databind:2.2.0:-
Fasterxml Jackson-databind 2.2.0 cpe:/a:fasterxml:jackson-databind:2.2.0:rc1
Fasterxml Jackson-databind 2.2.1 cpe:/a:fasterxml:jackson-databind:2.2.1
Fasterxml Jackson-databind 2.2.2 cpe:/a:fasterxml:jackson-databind:2.2.2
Fasterxml Jackson-databind 2.2.3 cpe:/a:fasterxml:jackson-databind:2.2.3
Fasterxml Jackson-databind 2.2.4 cpe:/a:fasterxml:jackson-databind:2.2.4
Fasterxml Jackson-databind 2.3.0 cpe:/a:fasterxml:jackson-databind:2.3.0
Fasterxml Jackson-databind 2.3.0 cpe:/a:fasterxml:jackson-databind:2.3.0:-
Fasterxml Jackson-databind 2.3.0 cpe:/a:fasterxml:jackson-databind:2.3.0:rc1
Fasterxml Jackson-databind 2.3.1 cpe:/a:fasterxml:jackson-databind:2.3.1
Fasterxml Jackson-databind 2.3.2 cpe:/a:fasterxml:jackson-databind:2.3.2
Fasterxml Jackson-databind 2.3.3 cpe:/a:fasterxml:jackson-databind:2.3.3
Fasterxml Jackson-databind 2.3.4 cpe:/a:fasterxml:jackson-databind:2.3.4
Fasterxml Jackson-databind 2.3.5 cpe:/a:fasterxml:jackson-databind:2.3.5
Fasterxml Jackson-databind 2.4.0 cpe:/a:fasterxml:jackson-databind:2.4.0
Fasterxml Jackson-databind 2.4.0 cpe:/a:fasterxml:jackson-databind:2.4.0:-
Fasterxml Jackson-databind 2.4.0 cpe:/a:fasterxml:jackson-databind:2.4.0:rc1
Fasterxml Jackson-databind 2.4.0 cpe:/a:fasterxml:jackson-databind:2.4.0:rc2
Fasterxml Jackson-databind 2.4.0 cpe:/a:fasterxml:jackson-databind:2.4.0:rc3
Fasterxml Jackson-databind 2.4.1 cpe:/a:fasterxml:jackson-databind:2.4.1
Fasterxml Jackson-databind 2.4.1.1 cpe:/a:fasterxml:jackson-databind:2.4.1.1
Fasterxml Jackson-databind 2.4.1.2 cpe:/a:fasterxml:jackson-databind:2.4.1.2
Fasterxml Jackson-databind 2.4.1.3 cpe:/a:fasterxml:jackson-databind:2.4.1.3
Fasterxml Jackson-databind 2.4.2 cpe:/a:fasterxml:jackson-databind:2.4.2
Fasterxml Jackson-databind 2.4.3 cpe:/a:fasterxml:jackson-databind:2.4.3
Fasterxml Jackson-databind 2.4.4 cpe:/a:fasterxml:jackson-databind:2.4.4
Fasterxml Jackson-databind 2.4.5 cpe:/a:fasterxml:jackson-databind:2.4.5
Fasterxml Jackson-databind 2.4.5.1 cpe:/a:fasterxml:jackson-databind:2.4.5.1
Fasterxml Jackson-databind 2.4.6 cpe:/a:fasterxml:jackson-databind:2.4.6
Fasterxml Jackson-databind 2.4.6.1 cpe:/a:fasterxml:jackson-databind:2.4.6.1
Fasterxml Jackson-databind 2.5.0 cpe:/a:fasterxml:jackson-databind:2.5.0
Fasterxml Jackson-databind 2.5.0 cpe:/a:fasterxml:jackson-databind:2.5.0:-
Fasterxml Jackson-databind 2.5.0 cpe:/a:fasterxml:jackson-databind:2.5.0:rc1
Fasterxml Jackson-databind 2.5.1 cpe:/a:fasterxml:jackson-databind:2.5.1
Fasterxml Jackson-databind 2.5.2 cpe:/a:fasterxml:jackson-databind:2.5.2
Fasterxml Jackson-databind 2.5.3 cpe:/a:fasterxml:jackson-databind:2.5.3
Fasterxml Jackson-databind 2.5.4 cpe:/a:fasterxml:jackson-databind:2.5.4
Fasterxml Jackson-databind 2.5.5 cpe:/a:fasterxml:jackson-databind:2.5.5
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:-
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc1
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc2
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc3
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc4
Fasterxml Jackson-databind 2.6.1 cpe:/a:fasterxml:jackson-databind:2.6.1
Fasterxml Jackson-databind 2.6.2 cpe:/a:fasterxml:jackson-databind:2.6.2
Fasterxml Jackson-databind 2.6.3 cpe:/a:fasterxml:jackson-databind:2.6.3
Fasterxml Jackson-databind 2.6.4 cpe:/a:fasterxml:jackson-databind:2.6.4
Fasterxml Jackson-databind 2.6.5 cpe:/a:fasterxml:jackson-databind:2.6.5
Fasterxml Jackson-databind 2.6.6 cpe:/a:fasterxml:jackson-databind:2.6.6
Fasterxml Jackson-databind 2.6.7 cpe:/a:fasterxml:jackson-databind:2.6.7
Fasterxml Jackson-databind 2.6.7.1 cpe:/a:fasterxml:jackson-databind:2.6.7.1
Fasterxml Jackson-databind 2.6.7.2 cpe:/a:fasterxml:jackson-databind:2.6.7.2
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:-
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc1
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc2
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc3
Fasterxml Jackson-databind 2.7.1 cpe:/a:fasterxml:jackson-databind:2.7.1
Fasterxml Jackson-databind 2.7.1-1 cpe:/a:fasterxml:jackson-databind:2.7.1-1
Fasterxml Jackson-databind 2.7.2 cpe:/a:fasterxml:jackson-databind:2.7.2
Fasterxml Jackson-databind 2.7.3 cpe:/a:fasterxml:jackson-databind:2.7.3
Fasterxml Jackson-databind 2.7.4 cpe:/a:fasterxml:jackson-databind:2.7.4
Fasterxml Jackson-databind 2.7.5 cpe:/a:fasterxml:jackson-databind:2.7.5
Fasterxml Jackson-databind 2.7.6 cpe:/a:fasterxml:jackson-databind:2.7.6
Fasterxml Jackson-databind 2.7.7 cpe:/a:fasterxml:jackson-databind:2.7.7
Fasterxml Jackson-databind 2.7.8 cpe:/a:fasterxml:jackson-databind:2.7.8
Fasterxml Jackson-databind 2.7.9 cpe:/a:fasterxml:jackson-databind:2.7.9
Fasterxml Jackson-databind 2.7.9.1 cpe:/a:fasterxml:jackson-databind:2.7.9.1
Fasterxml Jackson-databind 2.7.9.2 cpe:/a:fasterxml:jackson-databind:2.7.9.2
Fasterxml Jackson-databind 2.7.9.3 cpe:/a:fasterxml:jackson-databind:2.7.9.3
Fasterxml Jackson-databind 2.7.9.4 cpe:/a:fasterxml:jackson-databind:2.7.9.4
Fasterxml Jackson-databind 2.8.0 cpe:/a:fasterxml:jackson-databind:2.8.0
Fasterxml Jackson-databind 2.8.1 cpe:/a:fasterxml:jackson-databind:2.8.1
Fasterxml Jackson-databind 2.8.2 cpe:/a:fasterxml:jackson-databind:2.8.2
Fasterxml Jackson-databind 2.8.3 cpe:/a:fasterxml:jackson-databind:2.8.3
Fasterxml Jackson-databind 2.8.4 cpe:/a:fasterxml:jackson-databind:2.8.4
Fasterxml Jackson-databind 2.8.5 cpe:/a:fasterxml:jackson-databind:2.8.5
Fasterxml Jackson-databind 2.8.6 cpe:/a:fasterxml:jackson-databind:2.8.6
Fasterxml Jackson-databind 2.8.7 cpe:/a:fasterxml:jackson-databind:2.8.7
Fasterxml Jackson-databind 2.8.8 cpe:/a:fasterxml:jackson-databind:2.8.8
Fasterxml Jackson-databind 2.8.8.1 cpe:/a:fasterxml:jackson-databind:2.8.8.1
Fasterxml Jackson-databind 2.8.9 cpe:/a:fasterxml:jackson-databind:2.8.9
Fasterxml Jackson-databind 2.8.10 cpe:/a:fasterxml:jackson-databind:2.8.10
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:-
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease1
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease2
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease3
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0:prerelease4
Redhat Virtualization 4.0 cpe:/a:redhat:virtualization:4.0
Redhat Virtualization Host 4.0 cpe:/a:redhat:virtualization_host:4.0
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
Debian Debian Linux 9.0 cpe:/o:debian:debian_linux:9.0
Fasterxml Jackson-databind 2.8.11 cpe:/a:fasterxml:jackson-databind:2.8.11
Fasterxml Jackson-databind 2.9.0 cpe:/a:fasterxml:jackson-databind:2.9.0
Fasterxml Jackson-databind 2.9.1 cpe:/a:fasterxml:jackson-databind:2.9.1
Fasterxml Jackson-databind 2.9.2 cpe:/a:fasterxml:jackson-databind:2.9.2
Fasterxml Jackson-databind 2.9.3 cpe:/a:fasterxml:jackson-databind:2.9.3
  1. Debian (1) Search CVE
    1. Debian Linux (2) Search CVE
      1. 8.0
      2. 9.0
  2. Fasterxml (1) Search CVE
    1. Jackson-databind (83) Search CVE
      1. 2.0.0
      2. 2.0.1
      3. 2.0.2
      4. 2.0.4
      5. 2.0.5
      6. 2.0.6
      7. 2.1.0
      8. 2.1.1
      9. 2.1.2
      10. 2.1.3
      11. 2.1.4
      12. 2.1.5
      13. 2.2.0
      14. 2.2.1
      15. 2.2.2
      16. 2.2.3
      17. 2.2.4
      18. 2.3.0
      19. 2.3.1
      20. 2.3.2
      21. 2.3.3
      22. 2.3.4
      23. 2.3.5
      24. 2.4.0
      25. 2.4.1
      26. 2.4.1.1
      27. 2.4.1.2
      28. 2.4.1.3
      29. 2.4.2
      30. 2.4.3
      31. 2.4.4
      32. 2.4.5
      33. 2.4.5.1
      34. 2.4.6
      35. 2.4.6.1
      36. 2.5.0
      37. 2.5.1
      38. 2.5.2
      39. 2.5.3
      40. 2.5.4
      41. 2.5.5
      42. 2.6.0
      43. 2.6.1
      44. 2.6.2
      45. 2.6.3
      46. 2.6.4
      47. 2.6.5
      48. 2.6.6
      49. 2.6.7
      50. 2.6.7.1
      51. 2.6.7.2
      52. 2.7.0
      53. 2.7.1
      54. 2.7.1-1
      55. 2.7.2
      56. 2.7.3
      57. 2.7.4
      58. 2.7.5
      59. 2.7.6
      60. 2.7.7
      61. 2.7.8
      62. 2.7.9
      63. 2.7.9.1
      64. 2.7.9.2
      65. 2.7.9.3
      66. 2.7.9.4
      67. 2.8.0
      68. 2.8.1
      69. 2.8.2
      70. 2.8.3
      71. 2.8.4
      72. 2.8.5
      73. 2.8.6
      74. 2.8.7
      75. 2.8.8
      76. 2.8.8.1
      77. 2.8.9
      78. 2.8.10
      79. 2.9.0
      80. 2.8.11
      81. 2.9.1
      82. 2.9.2
      83. 2.9.3
  3. Redhat (2) Search CVE
    1. Virtualization Host (1) Search CVE
      1. 4.0
    2. Virtualization (1) Search CVE
      1. 4.0

CWE

ID Name Description Links
CWE-502 Deserialization of Untrusted Data The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. CVE
CWE-184 Incomplete Blacklist An application uses a "blacklist" of prohibited values, but the blacklist is incomplete. CVE

History of changes

Date Event
2019-09-27 03:15
2019-08-29 16:04
2018-09-27 15:29
2018-09-27 10:29
2018-05-17 01:29
2018-04-25 01:29
2018-03-14 01:29
2018-02-17 02:29
2018-02-12 19:15
2018-01-22 04:29

New CVE