CVE-2018-1000873

MEDIUM

jackson-modules-java8 < 2.9.8 - Denial of Service via Large Nanoseconds Field in Time Value

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1000873. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the source code for the Jackson modules for Java 8, specifically the vulnerable version affected by CVE-2018-1000873. However, it does not include an exploit PoC or detailed analysis of the vulnerability.

Description

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-1000873-jackson-modules-java8-vulnerable

View Code ZIP pw:eip

This repository contains the source code for the Jackson modules for Java 8, specifically the vulnerable version affected by CVE-2018-1000873. However, it does not include an exploit PoC or detailed analysis of the vulnerability.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Jackson modules for Java 8 (jackson-datatype-jdk8)

No auth needed

Prerequisites: Vulnerable version of Jackson modules for Java 8

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-1000873-jackson-modules-java8-vulnerable

View Code ZIP pw:eip

This repository contains the vulnerable source code for CVE-2018-1000873, specifically the Jackson Modules Java8 library. It includes detailed documentation and code snippets demonstrating the usage of the library, but does not contain an exploit PoC or scanner.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Jackson Modules Java8 (jackson-datatype-jdk8) version 2.6.3 and earlier

No auth needed

Prerequisites: Target application using vulnerable Jackson Modules Java8 library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (14)

Core 14

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch, Third Party Advisory x_refsource_misc

https://github.com/FasterXML/jackson-modules-java8/pull/87

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1665601

Exploit, Patch, Third Party Advisory x_refsource_misc

https://github.com/FasterXML/jackson-modules-java8/issues/90

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20200904-0004/

Scores

CVSS v3 6.5

EPSS 0.0219

EPSS Percentile 84.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-20

Status published

Products (11)

com.fasterxml.jackson.datatype/jackson-datatype-jsr310 0 - 2.9.8Maven

fasterxml/jackson-modules-java8 < 2.9.8

netapp/active_iq_unified_manager 7.3 (2 CPE variants)

netapp/active_iq_unified_manager 9.5

oracle/clusterware 12.1.0.2.0

oracle/database_server 12.1.0.2

oracle/database_server 12.2.0.1

oracle/database_server 18c

oracle/database_server 19c

oracle/global_lifecycle_management_opatch < 11.2.0.3.23

... and 1 more

Published Dec 20, 2018

Tracked Since Feb 18, 2026