Description

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Remediation

References

CVE-2018-12022

Related Vulnerabilities

MySQL CVE-2022-21342 Vulnerability (CVE-2022-21342)

Drupal Core 5.x Cross-Site Request Forgery (5.0 - 5.5)

WordPress Plugin bizzCam Video Cross-Site Scripting (0.1)

Lighttpd Out-of-bounds Write Vulnerability (CVE-2022-22707)

TYPO3 Other Vulnerability (CVE-2007-1081)

Severity

High

Classification

CVE-2018-12022 CWE-502 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities