CVE-2018-19360: Polymorphic Deserialization vulnerability in jackson-databind (Maven)

What is CVE-2018-19360 About?

This vulnerability in FasterXML jackson-databind 2.x before 2.9.8 involves a polymorphic deserialization flaw. It stems from the failure to block specific gadget classes, which allows attackers to achieve various impacts. Exploitation ease depends on the availability of a susceptible gadget on the classpath.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5

Technical Details

The FasterXML jackson-databind library, versions 2.x before 2.9.8, is vulnerable to polymorphic deserialization issues. This vulnerability arises because the library fails to sufficiently block certain 'gadget' classes, specifically the axis2-transport-jms class, from being used during polymorphic deserialization. When an application uses jackson-databind to deserialize untrusted data with polymorphic typing enabled, an attacker can craft a malicious JSON payload that references the axis2-transport-jms class. This can lead to arbitrary code execution, denial of service, or other malicious actions if the class is present on the application's classpath and can be abused for unintended operations during deserialization.

What is the Impact of CVE-2018-19360?

Successful exploitation may allow attackers to execute arbitrary code, achieve remote code execution, cause a denial of service, or perform other unspecified impacts depending on the available gadgets.

What is the Exploitability of CVE-2018-19360?

Exploitation of this polymorphic deserialization vulnerability typically involves crafting a malicious JSON payload and sending it to an application that uses jackson-databind for deserialization with polymorphic type handling enabled. The complexity is moderate to high, as it requires knowledge of available deserialization gadgets on the target's classpath. No specific authentication is required if the deserialization endpoint is publicly accessible. Privilege requirements are low, as an unauthenticated attacker can potentially submit the payload. This is a remote attack vector. The primary special condition is the presence of the axis2-transport-jms class (or another vulnerable gadget) on the application's classpath. The risk factors that increase exploitation likelihood include wide use of polymorphic deserialization from untrusted sources and an extensive classpath that includes known gadget libraries.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2018-19360?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

The patch adds several third-party classes to a denylist (DEFAULT_NO_DESER_CLASS_NAMES) that Jackson uses to block unsafe deserialization, preventing these classes from being deserialized. This mitigates the gadget-chain vulnerabilities exploited via deserialization that could lead to remote code execution, addressing CVE-2018-19360 by expanding protection against newly identified dangerous classes.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8 → Upgrade to 2.9.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-19360?

Similar Vulnerabilities: CVE-2020-35728 , CVE-2021-38706 , CVE-2021-29425 , CVE-2022-42003 , CVE-2023-24998

CVE-2018-19360 Polymorphic Deserialization vulnerability in jackson-databind (Maven)