vulnerability

FreeBSD: VID-93f8e0ff-f33d-11e8-be46-0019dbb15b3f (CVE-2018-7489): payara -- Default typing issue in Jackson Databind

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Nov 28, 2018	Nov 29, 2018	Dec 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Nov 28, 2018

Added

Nov 29, 2018

Modified

Dec 10, 2025

Description

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Solution

freebsd-upgrade-package-payara

References

CVE-2018-7489
https://attackerkb.com/topics/CVE-2018-7489
CWE-184
CWE-502

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today