CVE-2018-7489 - Remote Code Execution (RCE)

Severity: Low2022-01-19

Security Advisories


FasterXML jackson-databind before, 2.8.x before and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v22.1.0 Low N/A





Severity: Critical

CVSS Score: 9.8

The FarsterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-7489 vulnerability description. However, c3p0 libraries are not available in the Oxygen XML products classpath. For that reason, we have rated the severity level for our products as low.

List of Security Advisories