Vulnerability Name:

CVE-2018-11307 (CCN-163528)

Assigned:2018-05-10
Published:2018-05-10
Updated:2023-06-08
Summary:FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an issue when untrusted content is deserialized with default typing enabled. By sending specially-crafted content over FTP, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2018-11307

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
fasterxml-cve201811307-info-disc(163528)

Source: CCN
Type: FasterXML GIT Repository
CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis #2032

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory, US Government Resource
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6209691 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6217806 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6324739 (Security Guardium Insights)
IBM Security Guardium Insights is affected by Components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6444089 (Log Analysis)
Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6528214 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.0.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201811307
    V
    		CVE-2018-11307
    2023-06-22
    oval:org.opensuse.security:def:7534
    P
    		jackson-databind-2.13.4.2-150200.3.12.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:1397
    P
    		Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important) (in QA)
    2022-06-27
    oval:org.opensuse.security:def:2955
    P
    		jackson-databind-2.10.5.1-3.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94585
    P
    		jackson-databind-2.10.5.1-3.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:112447
    P
    		jackson-databind-2.10.5.1-2.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105953
    P
    		jackson-databind-2.10.5.1-2.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:101273
    P
    		jackson-databind-2.10.5.1-3.3.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1926
    P
    		jackson-databind-2.10.5.1-3.3.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63015
    P
    		jackson-databind-2.10.5.1-3.3.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72734
    P
    		jackson-databind-2.10.5.1-3.3.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100848
    P
    		graphviz-2.40.1-6.6.4 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:66814
    P
    		Security update for the Linux Kernel (Important)
    2021-06-08
    oval:org.opensuse.security:def:66722
    P
    		Security update for xen (Important)
    2021-04-06
    oval:org.opensuse.security:def:70170
    P
    		Security update for gcc7 (Moderate)
    2020-12-10
    oval:org.opensuse.security:def:1867
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:117072
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62956
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72675
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:94135
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107514
    P
    		jackson-databind-2.10.2-1.74 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:73505
    P
    		jackson-databind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49784
    P
    		glibc-devel-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49838
    P
    		jackson-databind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73387
    P
    		gnome-desktop-lang on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:70065
    P
    		imlib2-loaders on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.disco:def:2018113070000000
    V
    		CVE-2018-11307 on Ubuntu 19.04 (disco) - medium.
    2019-07-09
    oval:com.ubuntu.cosmic:def:2018113070000000
    V
    		CVE-2018-11307 on Ubuntu 18.10 (cosmic) - medium.
    2019-07-09
    oval:com.ubuntu.bionic:def:2018113070000000
    V
    		CVE-2018-11307 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-07-09
    oval:com.ubuntu.xenial:def:2018113070000000
    V
    		CVE-2018-11307 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-07-09
    oval:com.ubuntu.bionic:def:201811307000
    V
    		CVE-2018-11307 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-12-31
    oval:com.ubuntu.cosmic:def:201811307000
    V
    		CVE-2018-11307 on Ubuntu 18.10 (cosmic) - medium.
    2018-12-31
    oval:com.ubuntu.trusty:def:201811307000
    V
    		CVE-2018-11307 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-12-31
    oval:com.ubuntu.xenial:def:201811307000
    V
    		CVE-2018-11307 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-12-31
    BACK
    fasterxml jackson-databind 2.9.5
    fasterxml jackson-databind 2.0.0
    ibm sterling b2b integrator 5.2.0.0
    ibm sterling b2b integrator 6.0.3.1
    ibm security identity governance and intelligence 5.2.6
    ibm log analysis 1.3.1
    ibm log analysis 1.3.2
    ibm log analysis 1.3.3
    ibm log analysis 1.3.4
    ibm log analysis 1.3.5
    ibm log analysis 1.3.6
    ibm security guardium insights 2.0.1
    ibm security guardium data encryption 3.0.0.2