yoswein/789

CVE-2018-19362 (High) detected in jackson-databind-2.8.8.jar

Opened this issue · 0 comments

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

  • jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8


⛑️ Automatic Remediation is available for this issue