CVE-2018-19362 — CRITICAL (9.8)

Q: What is CVE-2018-19362?

CVE-2018-19362 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Q: How severe is CVE-2018-19362?

CVE-2018-19362 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-19362?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Oracle Business Process Management Suite, Oracle Primavera P6 Enterprise Project Portfolio Management, Oracle Primavera Unifier.

Vulnerability Description

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	>= 2.6.0, <= 2.6.7.2
Debian	Debian Linux	8.0
Oracle	Business Process Management Suite	12.1.3.0.0
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 17.7, <= 17.12
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Retail Workforce Management Software	1.60.9.0.0
Oracle	Webcenter Portal	12.2.1.3.0
Redhat	Automation Manager	7.3.1
Redhat	Decision Manager	7.3.1
Redhat	Jboss Bpm Suite	6.4.11
Redhat	Jboss Brms	6.4.10
Redhat	Openshift Container Platform	3.11

Related Weaknesses (CWE)

CWE-502

References

http://www.securityfocus.com/bid/107985Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:0959Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0782Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1782Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1797Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1822Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1823Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2804
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3002
https://access.redhat.com/errata/RHSA-2019:3140
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:4037

FAQ

What is CVE-2018-19362?

CVE-2018-19362 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

How severe is CVE-2018-19362?

CVE-2018-19362 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-19362?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Oracle Business Process Management Suite, Oracle Primavera P6 Enterprise Project Portfolio Management, Oracle Primavera Unifier.