CVE-2018-1000873

Summary

CVE	CVE-2018-1000873
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-12-20 17:29:00 UTC
Updated	2023-11-07 02:51:00 UTC
Description	Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Fasterxml	Jackson-modules-java8	All	All	All	All
Application	Fasterxml	Jackson-modules-java8	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Netapp	Active Iq Unified Manager	All	All	All	All
Application	Oracle	Clusterware	12.1.0.2.0	All	All	All
Application	Oracle	Clusterware	12.1.0.2.0	All	All	All
Application	Oracle	Database Server	12.1.0.2	All	All	All
Application	Oracle	Database Server	12.2.0.1	All	All	All
Application	Oracle	Database Server	18c	All	All	All
Application	Oracle	Database Server	19c	All	All	All
Application	Oracle	Database Server	12.1.0.2	All	All	All
Application	Oracle	Database Server	12.2.0.1	All	All	All
Application	Oracle	Database Server	18c	All	All	All
Application	Oracle	Database Server	19c	All	All	All
Application	Oracle	Global Lifecycle Management Opatch	All	All	All	All
Application	Oracle	Global Lifecycle Management Opatch	All	All	All	All
Application	Oracle	Nosql Database	All	All	All	All
Application	Oracle	Nosql Database	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com	Third Party Advisory
Performance issue with malicious `BigDecimal` input, `InstantDeserializer`, `DurationDeserializer` (CVE-2018-1000873) · Issue #90 · FasterXML/jackson-modules-java8 · GitHub	MISC	github.com	Exploit, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Prevent unbounded latency converting decimals to time by toddjonker · Pull Request #87 · FasterXML/jackson-modules-java8 · GitHub	MISC	github.com	Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Oracle Critical Patch Update - July 2019	MISC	www.oracle.com	Third Party Advisory
CVE-2018-1000873 FasterXML jackson-databind Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Oracle Critical Patch Update - October 2019	MISC	www.oracle.com	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
1665601 – (CVE-2018-1000873) CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

981069 Java (maven) Security Update for com.fasterxml.jackson.datatype:jackson-datatype-jsr310 (GHSA-h4x4-5qp2-wp46)