An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
{
"unresolved_ranges": [
{
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*"
],
"vendor_product": "fedoraproject:fedora",
"extracted_events": [
{
"introduced": "29"
},
{
"last_affected": "29"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:jd_edwards_enterpriseone_tools",
"extracted_events": [
{
"introduced": "9.2"
},
{
"last_affected": "9.2"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:retail_merchandising_system",
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "15.0"
},
{
"last_affected": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*"
],
"vendor_product": "redhat:automation_manager",
"extracted_events": [
{
"introduced": "7.3.1"
},
{
"last_affected": "7.3.1"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "redhat:decision_manager",
"cpes": [
"cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.3.1"
},
{
"last_affected": "7.3.1"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "redhat:jboss_brms",
"cpes": [
"cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "6.4.10"
},
{
"last_affected": "6.4.10"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "redhat:jboss_enterprise_application_platform",
"cpes": [
"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.2.0"
},
{
"last_affected": "7.2.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "redhat:openshift_container_platform",
"cpes": [
"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "3.11"
},
{
"last_affected": "3.11"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*"
],
"vendor_product": "redhat:single_sign-on",
"extracted_events": [
{
"introduced": "7.3"
},
{
"last_affected": "7.3"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.4"
},
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.11.2"
},
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.6"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}