CVE-2018-7489: Deserialization of Untrusted Data
(updated )
FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the readValue
method of the ObjectMapper
, bypassing a denylist that is ineffective if the c3p0
libraries are available in the classpath.
References
- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- www.securityfocus.com/bid/103203
- www.securitytracker.com/id/1040693
- www.securitytracker.com/id/1041890
- github.com/FasterXML/jackson-databind/issues/1931
- nvd.nist.gov/vuln/detail/CVE-2018-7489
- security.netapp.com/advisory/ntap-20180328-0001/
- www.debian.org/security/2018/dsa-4190
Detect and mitigate CVE-2018-7489 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →