{"id":"CVE-2018-21234","details":"Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.","aliases":["GHSA-jrg3-qq99-35g7"],"modified":"2026-04-11T21:31:56.896281Z","published":"2020-05-21T23:15:11.103Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r0bacc701ab7105500a0ab2769270d18f332cb379e6a62ec7553f3327%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r157d01c96a2c10e7ceb3e005f42c52cfe87b11dd018935e1c4277433%40%3Cgitbox.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r317aec95c436848233047af7ecb3ce04ce446eb6031f981aef50df0d%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r729bc1e0f367fe8a857ac8a14641dba284ac4cf5131edf483022cf59%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r965503b27d67a2d934e34fc1d088c9547d51d927c43b8b9bd9b7e695%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc23200043872384e0fc48a4a4502f4c6b4b5ddc79ba4076414150d59%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc85b650b4ad2c77d7c39c69824488e40dce6d0ebbb4204777d094375%40%3Cgitbox.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd575d9877424a2d8776f5c2ff33bf3dc3382cd83f031d483f29c11ab%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdbb99b43334b59d3d3478d360c87e3235ba22edb1de7d39019194347%40%3Cissues.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdce006b282e56c5cc73cdf452c51c5097154d0503396d62f48abbeae%40%3Cgitbox.hive.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf458683390d6650b26a2c8ba8ad396e038e520ad1cc3f3f1e20514d9%40%3Cdev.hive.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/oblac/jodd/compare/v5.0.3...v5.0.4"},{"type":"ADVISORY","url":"https://github.com/oblac/jodd/issues/628"},{"type":"FIX","url":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/hive","events":[{"introduced":"0"},{"last_affected":"8190d2be7b7165effa62bd21b7d60ef81fb0e4af"}],"database_specific":{"cpe":"cpe:2.3:a:apache:hive:3.1.2:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"3.1.2"}],"source":"CPE_FIELD"}}],"versions":["rel/release-3.1.0","rel/release-3.1.1","rel/release-3.1.2","release-3.1.2-rc0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-21234.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/oblac/jodd","events":[{"introduced":"0"},{"fixed":"9c891fc72e74779440ef1eeeaa70eab376818720"},{"fixed":"9bffc3913aeb8472c11bb543243004b4b4376f16"}],"database_specific":{"cpe":"cpe:2.3:a:jodd:jodd:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"5.0.4"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["v3.4.0","v3.4.1","v3.4.10","v3.4.2","v3.4.3","v3.4.4","v3.4.5","v3.4.7","v3.4.8","v3.4.9","v3.5","v3.5.1","v3.5.2","v3.6","v3.6.1","v3.6.2","v3.6.3","v3.6.4","v3.6.5","v3.6.6","v3.6.7","v3.7","v3.7.1","v3.8","v3.8.0","v3.8.1","v3.8.5","v3.8.6","v3.9","v3.9.1","v4.0.0","v4.1.0","v4.1.1","v4.1.4","v4.1.5","v4.2.0","v4.3.0","v4.3.1","v4.3.2","v5.0.0","v5.0.1","v5.0.2","v5.0.3"],"database_specific":{"vanir_signatures_modified":"2026-04-11T21:31:56Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","target":{"file":"jodd-json/src/main/java/jodd/json/JsonParser.java"},"digest":{"line_hashes":["198522618421086842669461628958655246747","299400162155763133414993199138688733038","36460051375629793932303636773183949303","73198954444898560646212271078822862548","283292402706264191490652796043599367024","164404745960515918751399929734795685030","5013077261249814823333178636179576197"],"threshold":0.9},"id":"CVE-2018-21234-0a186348","signature_type":"Line","source":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"},{"deprecated":false,"signature_version":"v1","target":{"function":"map2bean","file":"jodd-json/src/main/java/jodd/json/MapToBean.java"},"digest":{"function_hash":"150659002444411691445559585148327620157","length":1556},"id":"CVE-2018-21234-80b6864d","signature_type":"Function","source":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"},{"deprecated":false,"signature_version":"v1","target":{"file":"jodd-json/src/main/java/jodd/json/MapToBean.java"},"digest":{"line_hashes":["214725461818025221634430265778613246701","244967375890363988297663312649443074228","21965940755875442979336604635808219962","301212955012635425009146496555427443621","297694697509337179882558693984498556210","60388440001902776687545077966616286877","308134723903102058898853773951793039204","264932224051603028143653420982385799696","217416844301540765260759182213894968120","243191484542778746029218417175007760524","87972665837479489297426055128452730008"],"threshold":0.9},"id":"CVE-2018-21234-839c464f","signature_type":"Line","source":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"},{"deprecated":false,"signature_version":"v1","target":{"file":"jodd-json/src/test/java/jodd/json/JSONDeserializerTest.java"},"digest":{"line_hashes":["331404379708205865508339681454607284059","119095956572842698012316124600553959001","1278427587890270671785609993730678418","289107508559760982555679376257379788826","203883686736029240460947877299987777306","29010874320862694110270665673835496034","276042016848699108430829193718110593417"],"threshold":0.9},"id":"CVE-2018-21234-b94d1d03","signature_type":"Line","source":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"},{"deprecated":false,"signature_version":"v1","target":{"file":"jodd-json/src/main/java/jodd/json/JsonParserBase.java"},"digest":{"line_hashes":["309586792075453030448865919498237075886","141117149950635304899992242077618966874","199742548849720648788873078390530735582","70036849247241030278167886348885569640"],"threshold":0.9},"id":"CVE-2018-21234-cfa8dd3b","signature_type":"Line","source":"https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-21234.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}