Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2018-12022

CVE-2018-12022:
jackson-databind Deserialization of Untrusted Data vulnerability

7.5

CVSS Score

Basic Information

CVE ID
CVE-2018-12022
GHSA ID
GHSA-cjjf-94ff-43w7
EPSS Score
-
CWE
CWE-502
Published
3/25/2019
Updated
3/1/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven>= 2.9.0, < 2.9.62.9.6
com.fasterxml.jackson.core:jackson-databindmaven<= 2.7.9.32.7.9.4
com.fasterxml.jackson.core:jackson-databindmaven>= 2.8.0, <= 2.8.11.12.8.11.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches and descriptions provided indicate that the vulnerability is related to the deserialization of untrusted data in jackson-databind, specifically involving the Jodd-db library. The SubTypeValidator class is modified to block certain classes, suggesting its involvement in the vulnerability. The method validateSubType is likely a key point of interest for runtime detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in **st*rXML j**kson-**t**in* prior to *.*.*.*, *.*.**.*, *n* *.*.*. W**n ****ult Typin* is *n**l** (*it**r *lo**lly or *or * sp**i*i* prop*rty), t** s*rvi** **s t** Jo**-** j*r (*or **t***s* ****ss *or t** Jo** *r*m*work) in

Reasoning

T** p*t***s *n* **s*riptions provi*** in*i**t* t**t t** vuln*r**ility is r*l*t** to t** **s*ri*liz*tion o* untrust** **t* in j**kson-**t**in*, sp**i*i**lly involvin* t** Jo**-** li*r*ry. T** Su*Typ*V*li**tor *l*ss is mo*i*i** to *lo*k **rt*in *l*ss*s