FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

payara -- Default typing issue in Jackson Databind

Affected packages
payara =
payara =
payara = 5.181.3
payara = 5.182


VuXML ID 93f8e0ff-f33d-11e8-be46-0019dbb15b3f
Discovery 2018-02-26
Entry 2018-11-28

FasterXML jackson-databind before and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.


CVE Name CVE-2018-7489