Vulnerability Details CVE-2018-5968
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 84.8%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:1525
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://github.com/FasterXML/jackson-databind/issues/1899
- https://security.netapp.com/advisory/ntap-20180423-0002/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- https://www.debian.org/security/2018/dsa-4114
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:1525
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://github.com/FasterXML/jackson-databind/issues/1899
- https://security.netapp.com/advisory/ntap-20180423-0002/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- https://www.debian.org/security/2018/dsa-4114
- https://www.oracle.com/security-alerts/cpuoct2020.html
Products affected by CVE-2018-5968
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.0.6
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.1.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.2.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.2.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.2.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.2.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.2.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.3.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.1.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.1.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.1.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.5.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.6
-
cpe:2.3:a:fasterxml:jackson-databind:2.4.6.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.5.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.6
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.7
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.7.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.6.7.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.6
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.7
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.8
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.9
-
cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.10
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.11
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.3
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.4
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.5
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.6
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.7
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.8
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.8.9
-
cpe:2.3:a:fasterxml:jackson-databind:2.9.0
-
cpe:2.3:a:fasterxml:jackson-databind:2.9.1
-
cpe:2.3:a:fasterxml:jackson-databind:2.9.2
-
cpe:2.3:a:fasterxml:jackson-databind:2.9.3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.20
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.25
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30.5r3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.3r2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.5
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.3
-
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-
-
cpe:2.3:a:netapp:oncommand_shift:-
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1
-
cpe:2.3:a:redhat:openshift_container_platform:3.11
-
cpe:2.3:a:redhat:openshift_container_platform:4.1
-
cpe:2.3:a:redhat:virtualization:4.0
-
cpe:2.3:a:redhat:virtualization_host:4.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:redhat:enterprise_linux_server:6.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0