Miggo Logo
Miggo Vulnerability Database
CVE-2018-7489

CVE-2018-7489: FasterXML jackson-databind allows unauthenticated remote code execution

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-7489
GHSA ID
GHSA-cggj-fvv3-cqwv
EPSS Score
0.97318%
CWE
CWE-184
Published
10/16/2018
Updated
3/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven>= 2.9.0, < 2.9.52.9.5
com.fasterxml.jackson.core:jackson-databindmaven>= 2.8.0, <= 2.8.11.02.8.11.1
com.fasterxml.jackson.core:jackson-databindmaven>= 2.7.0, < 2.7.9.32.7.9.3
com.fasterxml.jackson.core:jackson-databindmaven< 2.6.7.52.6.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches indicate that the vulnerability is related to the deserialization of untrusted data. The validateSubType and checkIllegalTypes methods were modified to add additional checks to prevent the deserialization of certain classes. These methods are directly related to the vulnerability and are likely to be involved in the exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**st*rXML j**kson-**t**in* ***or* ***or* *.*.*.*, *.*.x ***or* *.*.*.*, *.*.x ***or* *.*.**.*, *n* *.*.x ***or* *.*.* *llows un*ut**nti**t** r*mot* *o** *x**ution ****us* o* *n in*ompl*t* *ix *or t** *V*-****-**** **s*ri*liz*tion *l*w. T*is is *xploi

Reasoning

T** p*t***s in*i**t* t**t t** vuln*r**ility is r*l*t** to t** **s*ri*liz*tion o* untrust** **t*. T** `v*li**t*Su*Typ*` *n* `****kIll***lTyp*s` m*t*o*s w*r* mo*i*i** to *** ***ition*l ****ks to pr*v*nt t** **s*ri*liz*tion o* **rt*in *l*ss*s. T**s* m*t