CVE-2018-11307
Deserialization of Untrusted Data in jackson-databind
Description
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Base CVSS
9.8
EPSS Score
12.64%
Introduced Version
2.0.0-RC1
Fix Available
2.7.9.4,2.6.7.3,2.8.11.2,2.9.6
Available Patches
Package
CVEs Fixed
Lines of Code Changed