CVE-2018-21234
CRITICAL severity · CVSS 9.8 · Insecure deserialization
9.8CVSS CRITICAL
Summary
Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)8%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16 ↗
Additional information
- NVD record
- https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16Patch
- https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4Advisory
- https://github.com/oblac/jodd/issues/628Advisory
- https://lists.apache.org/thread.html/r0bacc701ab7105500a0ab2769270d18f332cb379e6a62ec7553f3327%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r157d01c96a2c10e7ceb3e005f42c52cfe87b11dd018935e1c4277433%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/r317aec95c436848233047af7ecb3ce04ce446eb6031f981aef50df0d%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r729bc1e0f367fe8a857ac8a14641dba284ac4cf5131edf483022cf59%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r965503b27d67a2d934e34fc1d088c9547d51d927c43b8b9bd9b7e695%40%3Cissues.hive.apache.org%3E