CVE-2018-19361
CRITICALFasterXML jackson-databind <2.9.8 - Deserialization
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2018-19361. PoCs published by dawetmaster, andikahilmy.
AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2018-19361, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.
Description
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-19361-jackson-databind-vulnerable
This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2018-19361, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.
Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target:
Jackson Databind 2.9.0
No auth needed
Prerequisites:
Java environment · vulnerable Jackson Databind version
devstral-2 · analyzed Mar 14, 2026
Full analysis →
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-19361-jackson-databind-vulnerable
This repository contains a functional exploit for CVE-2018-19361, a deserialization vulnerability in Jackson Databind. The exploit leverages malicious gadget chains to achieve remote code execution (RCE) by manipulating the deserialization process in vulnerable versions of the library.
Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target:
Jackson Databind (versions prior to 2.9.8)
No auth needed
Prerequisites:
Vulnerable version of Jackson Databind · Ability to send crafted JSON payloads to the target application
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (37)
Core 37
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/2186
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
Issue Tracking, Third Party Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/TINKERPOP-2121
Patch, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0782
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0877
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0959
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4452
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/68
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190530-0003/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1782
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1797
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107985
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1822
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1823
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2804
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2858
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3002
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3140
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3149
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3892
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4037
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0244
EPSS Percentile
85.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (23)
com.fasterxml.jackson.core/jackson-databind
2.7.0 - 2.7.9.5Maven
debian/debian_linux
8.0
debian/debian_linux
9.0
fasterxml/jackson-databind
2.6.0 - 2.6.7.2
oracle/business_process_management_suite
12.1.3.0.0
oracle/business_process_management_suite
12.2.1.3.0
oracle/primavera_p6_enterprise_project_portfolio_management
15.1
oracle/primavera_p6_enterprise_project_portfolio_management
15.2
oracle/primavera_p6_enterprise_project_portfolio_management
16.1
oracle/primavera_p6_enterprise_project_portfolio_management
16.2
... and 13 more
Published
Jan 02, 2019
Tracked Since
Feb 18, 2026