FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

payara -- Default typing issue in Jackson Databind

Affected packages
payara = 4.1.2.181.3
payara = 4.1.2.182
payara = 5.181.3
payara = 5.182

Details

VuXML ID 93f8e0ff-f33d-11e8-be46-0019dbb15b3f
Discovery 2018-02-26
Entry 2018-11-28

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

[source]

References

CVE Name CVE-2018-7489
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.