CVE-2018-7489 - Remote Code Execution (RCE)

Severity: Low2022-01-19

Security Advisories

Abstract

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v22.1.0 Low N/A

Mitigation

None

Detail

CVE-2018-7489

Severity: Critical

CVSS Score: 9.8

The FarsterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-7489 vulnerability description. However, c3p0 libraries are not available in the Oxygen XML products classpath. For that reason, we have rated the severity level for our products as low.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Evolution of TC 2026
June 2-3, 2026 Sofia, Bulgaria

Products

Features

Shop

Resources

Support

Company

© 2002-2026 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor