CVE-2018-11307
Published: 9 July 2019
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
From the Ubuntu Security Team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to obtain sensitive information.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jackson-databind Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(2.9.8-1)
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Not vulnerable
(2.9.8-1)
|
|
| eoan |
Not vulnerable
(2.9.8-1)
|
|
| focal |
Not vulnerable
(2.9.8-1)
|
|
| groovy |
Not vulnerable
(2.9.8-1)
|
|
| hirsute |
Not vulnerable
(2.9.8-1)
|
|
| impish |
Not vulnerable
(2.9.8-1)
|
|
| jammy |
Not vulnerable
(2.9.8-1)
|
|
| kinetic |
Not vulnerable
(2.9.8-1)
|
|
| lunar |
Not vulnerable
(2.9.8-1)
|
|
| mantic |
Not vulnerable
(2.9.8-1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(2.9.8-1)
|
|
| xenial |
Released
(2.4.2-3ubuntu0.1~esm2)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |