CVE-2018-5968: Deserialization of Untrusted Data

January 22, 2018 (updated September 27, 2019)

FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable via two different gadgets that bypass a denylist.

References

github.com/FasterXML/jackson-databind/issues/1899
nvd.nist.gov/vuln/detail/CVE-2018-5968
security.netapp.com/advisory/ntap-20180423-0002/
www.debian.org/security/2018/dsa-4114

Code Behaviors & Features

Detect and mitigate CVE-2018-5968 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →