CVE-2018-5968
HIGHFasterXML jackson-databind <2.8.11, 2.9.x<2.9.3 - RCE
Title source: llmDescription
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-5968-jackson-databind-vulnerable
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-5968-jackson-databind-vulnerable
References (12)
Scores
CVSS v3
8.1
EPSS
0.0197
EPSS Percentile
83.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-184
CWE-502
Status
published
Products (12)
com.fasterxml.jackson.core/jackson-databind
2.8.0 - 2.8.11.1Maven
debian/debian_linux
8.0
debian/debian_linux
9.0
fasterxml/jackson-databind
2.0.0 - 2.6.7.3
netapp/e-series_santricity_os_controller
11.0.0 - 11.60.3
netapp/e-series_santricity_web_services_proxy
netapp/oncommand_shift
redhat/jboss_enterprise_application_platform
7.1
redhat/openshift_container_platform
4.1
redhat/openshift_container_platform
3.11
... and 2 more
Published
Jan 22, 2018
Tracked Since
Feb 18, 2026