9.8

CVSS Score

Basic Information

CVE ID

CVE-2018-19362

GHSA ID

GHSA-c8hm-7hpq-7jhg

EPSS Score

CWE

CWE-502

Published

1/4/2019

Updated

3/15/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-19362

CVE-2018-19362:
com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2018-19362

GHSA ID

GHSA-c8hm-7hpq-7jhg

EPSS Score

CWE

CWE-502

Published

1/4/2019

Updated

3/15/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.9.0, < 2.9.8	2.9.8
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.8.0, <= 2.8.11.2	2.8.11.3
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.7.0, <= 2.7.9.4	2.7.9.5
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.0.0, < 2.6.7.3	2.6.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis involves examining the patches for CVE-2018-19362 and identifying the functions modified to mitigate the vulnerability. The patches modify SubTypeValidator to include additional classes in the blacklist, directly addressing the vulnerability related to deserialization of untrusted data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**st*rXML j**kson-**t**in* *.x ***or* *.*.* mi**t *llow *tt**k*rs to **v* unsp**i*i** imp**t *y l*v*r**in* **ilur* to *lo*k t** j*oss-*ommon-*or* *l*ss *rom polymorp*i* **s*ri*liz*tion.

Reasoning

T** *n*lysis involv*s *x*minin* t** p*t***s *or *V*-****-***** *n* i**nti*yin* t** *un*tions mo*i*i** to miti**t* t** vuln*r**ility. T** p*t***s mo*i*y Su*Typ*V*li**tor to in*lu** ***ition*l *l*ss*s in t** *l**klist, *ir**tly ***r*ssin* t** vuln*r**i

9.8

Basic Information

Concerned about an active attack path?

CVE-2018-19362: com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-19362:
com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

Vulnerability Intelligence
Miggo AI