Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2018-7489

Description

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

POC

Reference

- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

- https://www.oracle.com/security-alerts/cpuoct2020.html

- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Github

- https://github.com/0xT11/CVE-POC

- https://github.com/ARPSyndicate/cve-scores

- https://github.com/ARPSyndicate/cvemon

- https://github.com/OWASP/www-project-ide-vulscanner

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/SarthakShieldersoft/TestVWA

- https://github.com/bkhablenko/CVE-2017-8046

- https://github.com/cf-testorg/aws-sdk-java-test

- https://github.com/dashpradeep99/aws-sdk-java-code

- https://github.com/dashpradeep99/https-github.com-aws-aws-sdk-java

- https://github.com/dotanuki-labs/android-oss-cves-research

- https://github.com/hectorgie/PoC-in-GitHub

- https://github.com/ilmari666/cybsec

- https://github.com/klarna/kco_rest_java

- https://github.com/maddoudou22/repo-aws-sdk-java

- https://github.com/maddoudou22/test-aws-sdk-java

- https://github.com/maddoudou22/test-aws-sdk-java-B

- https://github.com/nekuroporisu/android-oss-cves-research

- https://github.com/pawankeshri/aws-sdk-java-master

- https://github.com/sdstoehr/har-reader

- https://github.com/seal-community/patches

- https://github.com/speedycloud/java-sdk

- https://github.com/tafamace/CVE-2018-7489

- https://github.com/yahoo/cubed

- https://github.com/zema1/oracle-vuln-crawler