Headline
CVE-2018-11307: NVD - CVE-2017-7525
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Hyperlink
Resource
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch Third Party Advisory
http://www.securityfocus.com/bid/99623
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039744
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039947
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040360
Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1834
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1835
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1836
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1837
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1839
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1840
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2477
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2546
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2547
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2633
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2635
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2636
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2637
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2638
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3141
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3454
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3455
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3456
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3458
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0294
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0342
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0910
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
Issue Tracking Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-055
Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/1599
Issue Tracking Patch Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/1723
Issue Tracking Third Party Advisory
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E
Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20171214-0002/
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
Third Party Advisory
https://www.debian.org/security/2017/dsa-4004
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Patch Third Party Advisory
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).