CVE-2018-7489 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-7489 PUBLISHED

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

EPSS 36.21% · 97.1th percentile

Risk Scores

EPSS Score

36.21%

97.1th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	jackson-databind	0, 2.4.2-2, 2.4.2-3
Ubuntu:Pro:14.04:LTS	jackson-databind	0, 2.2.2-1

Timeline

Feb 26, 2018 CVE Published
Sep 27, 2019 CVE Updated
Apr 14, 2021 EPSS Score
Nov 23, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Dec 12, 2023 EPSS Score
Aug 22, 2024 EPSS Score
Dec 17, 2024 EPSS Score
Mar 19, 2025 EPSS Score
Mar 21, 2025 EPSS Score
Mar 27, 2025 EPSS Score
Mar 28, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2018-7489 third-party-advisory
https://github.com/FasterXML/jackson-databind/issues/1931 third-party-advisory
https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2018-7489 third-party-advisory
Multiples vulnérabilités dans les produits Splunk advisory
Multiples vulnérabilités dans les produits IBM advisory

Open in Interactive Console →