CVE-2018-12023
moderate-risk
Published 2019-03-21
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Do I need to act?
~
4.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ HIGH complexity
Affected Products (11)
Affected Vendors
References (74)
Third Party Advisory
http://www.securityfocus.com/bid/105659
Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:0959
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0782
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0877
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1106
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1107
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1140
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1782
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1797
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1822
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1823
and 54 more references
46
/ 100
moderate-risk
Severity
22/34 · High
Exploitability
8/34 · Low
Exposure
16/34 · Moderate