CVE-2018-11307 — CRITICAL (9.8)

Q: How severe is CVE-2018-11307?

CVE-2018-11307 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-11307?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Redhat Openshift Container Platform, Redhat Enterprise Linux, Oracle Clusterware, Oracle Communications Instant Messaging Server.

Vulnerability Description

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	>= 2.0.0, < 2.6.7.3
Redhat	Openshift Container Platform	3.11
Redhat	Enterprise Linux	7.0
Oracle	Clusterware	12.1.0.2.0
Oracle	Communications Instant Messaging Server	10.0.1.2.0
Oracle	Global Lifecycle Management Opatch	< 11.2.0.3.23
Oracle	Retail Customer Management And Segmentation Foundation	17.0
Oracle	Utilities Advanced Spatial And Operational Analytics	2.7.0.1

Related Weaknesses (CWE)

CWE-502

References

https://access.redhat.com/errata/RHSA-2019:0782Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1822Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1823Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2804Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3002Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3140Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4037Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2032Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82eMailing ListThird Party Advisory
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12eMailing ListThird Party Advisory
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d28Mailing ListThird Party Advisory

FAQ

What is CVE-2018-11307?

CVE-2018-11307 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11....

How severe is CVE-2018-11307?

CVE-2018-11307 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-11307?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Redhat Openshift Container Platform, Redhat Enterprise Linux, Oracle Clusterware, Oracle Communications Instant Messaging Server.