CVE-2018-11307
Information Exfiltration vulnerability in jackson-databind (Maven)
What is CVE-2018-11307 About?
This vulnerability in FasterXML jackson-databind versions 2.0.0 through 2.9.5 allows Information Exfiltration. When Jackson default typing is used with a gadget class from iBatis, attackers can exfiltrate content. The vulnerability is relatively easy to exploit given the presence of default typing and the specified gadget.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.6
- >2.0.0, <2.7.9.4
- >2.8.0, <2.8.11.2
Technical Details
An issue exists in FasterXML jackson-databind versions 2.0.0 through 2.9.5. When Jackson's default typing mechanism is enabled for deserialization, and an iBatis gadget class is present and exploitable on the classpath, an attacker can craft a special JSON payload. This payload leverages the deserialization process to instantiate and invoke methods on the iBatis gadget, which can be manipulated to read and transfer sensitive data (content exfiltration) from the server to an attacker-controlled endpoint. The 'gadget' refers to a class with an unexpected side effect during deserialization that can be chained to perform malicious actions.
What is the Impact of CVE-2018-11307?
Successful exploitation may allow attackers to exfiltrate sensitive data from the system, leading to data breaches and privacy violations.
What is the Exploitability of CVE-2018-11307?
Exploitation of this information exfiltration vulnerability involves sending a specifically crafted JSON payload to an application that uses jackson-databind versions 2.0.0 through 2.9.5 with default typing enabled. The complexity is moderate, requiring knowledge of the class path and how to leverage the iBatis gadget. No authentication is required if the deserialization endpoint is publicly accessible. Privilege requirements are low, as any user capable of submitting JSON input can potentially trigger it. This is a remote attack. The critical special conditions are the use of Jackson default typing and the presence of a vulnerable iBatis gadget class on the classpath. The likelihood of exploitation increases when applications deserialize untrusted user input with default typing enabled, especially in environments where iBatis or other potentially exploitable libraries are present.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-11307?
About the Fix from Resolved Security
The patch adds org.apache.ibatis.parsing.XPathParser to a blocklist of classes that are not allowed for polymorphic deserialization. This prevents exploitation of CVE-2018-11307, which allows attackers to trigger unsafe XML parsing via crafted inputs that could lead to data exfiltration or remote code execution using this class.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.7.9.4 → Upgrade to 2.7.9.4
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.2 → Upgrade to 2.8.11.2
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.6 → Upgrade to 2.9.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:3149
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://access.redhat.com/errata/RHSA-2019:1822
- https://nvd.nist.gov/vuln/detail/CVE-2017-7525
- https://access.redhat.com/errata/RHSA-2019:3140
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
What are Similar Vulnerabilities to CVE-2018-11307?
Similar Vulnerabilities: CVE-2020-35728 , CVE-2021-38706 , CVE-2021-29425 , CVE-2022-42003 , CVE-2023-24998
