Skip to content

Deserialization of Untrusted Data in jackson-databind

High severity GitHub Reviewed Published Jun 30, 2020 to the GitHub Advisory Database • Updated Mar 1, 2024

Package

maven com.fasterxml.jackson.core:jackson-databind (Maven)

Affected versions

>= 2.9.0, < 2.9.4
>= 2.8.0, < 2.8.11
< 2.7.9.5

Patched versions

2.9.4
2.8.11.1
2.7.9.5

Description

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

References

Published by the National Vulnerability Database Jan 22, 2018
Reviewed Jun 30, 2020
Published to the GitHub Advisory Database Jun 30, 2020
Last updated Mar 1, 2024

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS score

9.270%
(95th percentile)

Weaknesses

CVE ID

CVE-2018-5968

GHSA ID

GHSA-w3f4-3q6j-rh82

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.