2019-03-21 17:00:12 2019-09-17 19:15:11

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Vector

NETWORK

Complexity

HIGH

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Redhat Decision manager 7.3.1 (not an official CPE) Redhat Automation manager 7.3.1 (not an official CPE) Oracle Retail merchandising system 15.0 (not an official CPE) Oracle Jd edwards enterpriseone tools 9.2 (not an official CPE) Fasterxml Jackson-databind 2.9.5 (not an official CPE) Fasterxml Jackson-databind 2.9.4 (not an official CPE) Fasterxml Jackson-databind 2.9.3 (not an official CPE) Fasterxml Jackson-databind 2.9.2 (not an official CPE) Fasterxml Jackson-databind 2.9.1 (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease4 (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease3 (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease2 (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease1 (not an official CPE) Fasterxml Jackson-databind 2.9.0 - (not an official CPE) Fasterxml Jackson-databind 2.9.0 (not an official CPE) Fasterxml Jackson-databind 2.8.11.1 (not an official CPE) Fasterxml Jackson-databind 2.8.11 (not an official CPE) Fasterxml Jackson-databind 2.8.10 (not an official CPE) Fasterxml Jackson-databind 2.8.9 (not an official CPE) Fasterxml Jackson-databind 2.8.8.1 (not an official CPE) Fasterxml Jackson-databind 2.8.8 (not an official CPE) Fasterxml Jackson-databind 2.8.7 (not an official CPE) Fasterxml Jackson-databind 2.8.6 (not an official CPE) Fasterxml Jackson-databind 2.8.5 (not an official CPE) Fasterxml Jackson-databind 2.8.4 (not an official CPE) Fasterxml Jackson-databind 2.8.3 (not an official CPE) Fasterxml Jackson-databind 2.8.2 (not an official CPE) Fasterxml Jackson-databind 2.8.1 (not an official CPE) Fasterxml Jackson-databind 2.8.0 (not an official CPE) Fasterxml Jackson-databind 2.7.9.3 (not an official CPE) Fasterxml Jackson-databind 2.7.9.2 (not an official CPE) Fasterxml Jackson-databind 2.7.9.1 (not an official CPE) Fasterxml Jackson-databind 2.7.8 (not an official CPE) Fasterxml Jackson-databind 2.7.9 (not an official CPE) Fasterxml Jackson-databind 2.7.7 (not an official CPE) Fasterxml Jackson-databind 2.7.4 (not an official CPE) Fasterxml Jackson-databind 2.7.6 (not an official CPE) Fasterxml Jackson-databind 2.7.5 (not an official CPE) Fasterxml Jackson-databind 2.7.3 (not an official CPE) Fasterxml Jackson-databind 2.7.2 (not an official CPE) Fasterxml Jackson-databind 2.7.1-1 (not an official CPE) Fasterxml Jackson-databind 2.7.1 (not an official CPE) Fasterxml Jackson-databind 2.7.0 Rc3 (not an official CPE) Fasterxml Jackson-databind 2.7.0 Rc2 (not an official CPE) Fasterxml Jackson-databind 2.7.0 Rc1 (not an official CPE) Fasterxml Jackson-databind 2.7.0 - (not an official CPE) Fasterxml Jackson-databind 2.7.0 (not an official CPE) Redhat Jboss brms 6.4.10 (not an official CPE) Redhat Jboss enterprise application platform 7.2.0 (not an official CPE) Redhat Openshift container platform 3.11 (not an official CPE) Redhat Single sign-on 7.3 (not an official CPE)