CVE-2018-1000873: Input Validation
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Other sources
Fasterxml Jackson version Before 2.9.8 contains an Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in a denial-of-service (DoS) when the victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value.
References: https://github.com/FasterXML/jackson-modules-java8/issues/90
Upstream Patch: https://github.com/FasterXML/jackson-modules-java8/pull/87
— Red Hat
FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
— IBM
Affected Software
Remediation
Patch Available
Patch Available
Event History
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-1000873.
What is the severity of CVE-2018-1000873?
The severity of CVE-2018-1000873 is medium with a severity value of 6.5.
Which software versions are affected by CVE-2018-1000873?
FasterXML jackson-databind versions before 2.9.8 are affected by CVE-2018-1000873.
What is the vulnerability type of CVE-2018-1000873?
CVE-2018-1000873 is a CWE-20: Improper Input Validation vulnerability.
How can CVE-2018-1000873 be exploited?
CVE-2018-1000873 can be exploited by deserializing malicious input, specifically very large values.