vulnerability
Red Hat JBoss EAP: CVE-2018-5968: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Jan 18, 2018 | Sep 19, 2024 | Jul 2, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Jan 18, 2018
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.. A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-502
- CWE-184
- CVE-2018-5968
- https://attackerkb.com/topics/CVE-2018-5968
- URL-https://access.redhat.com/security/cve/CVE-2018-5968
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1538332
- URL-https://access.redhat.com/errata/RHSA-2018:0478
- URL-https://access.redhat.com/errata/RHSA-2018:0479
- URL-https://access.redhat.com/errata/RHSA-2018:0480
- URL-https://access.redhat.com/errata/RHSA-2018:0481
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.