Vulnerability Details : CVE-2018-1000873
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2018-1000873
- cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:clusterware:12.1.0.2.0:*:*:*:*:*:*:*
- Oracle » Global Lifecycle Management OpatchVersions from including (>=) 13.9.4.0.0 and before (<) 13.9.4.2.1cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- Oracle » Global Lifecycle Management OpatchVersions from including (>=) 12.2.0.1.0 and before (<) 12.2.0.1.19cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
- cpe:2.3:a:fasterxml:jackson-modules-java8:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-1000873
Top countries where our scanners detected CVE-2018-1000873
Top open port discovered on systems with this issue
1521
IPs affected by CVE-2018-1000873 16,797
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-1000873!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-1000873
0.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000873
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-1000873
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000873
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OracleThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200904-0004/
CVE-2018-1000873 FasterXML jackson-databind Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1665601
1665601 – (CVE-2018-1000873) CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input ValidationIssue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
svn commit: r1869773 - /nifi/site/trunk/security.html - Pony MailMailing List;Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
svn commit: r1873083 - /nifi/site/trunk/security.html - Pony MailMailing List;Patch;Third Party Advisory
-
https://github.com/FasterXML/jackson-modules-java8/issues/90
Performance issue with malicious `BigDecimal` input, `InstantDeserializer`, `DurationDeserializer` (CVE-2018-1000873) · Issue #90 · FasterXML/jackson-modules-java8 · GitHubExploit;Patch;Third Party Advisory
-
https://github.com/FasterXML/jackson-modules-java8/pull/87
Prevent unbounded latency converting decimals to time by toddjonker · Pull Request #87 · FasterXML/jackson-modules-java8 · GitHubPatch;Third Party Advisory
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Third Party Advisory
Jump to