CVE-2018-14720

jackson-databind: exfiltration/XXE in some JDK classes

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes realizar ataques de tipo XML External Entity Injection (XXE) aprovechando su incapacidad de bloquear clases JDK no especificadas de deserialización polimórfica.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-07-28 CVE Reserved
2019-01-02 CVE Published
2024-07-28 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data
CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (34)

URL	Tag	Source
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html	Mailing List
https://seclists.org/bugtraq/2019/May/68	Mailing List
https://security.netapp.com/advisory/ntap-20190530-0003	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44	2023-11-07
https://github.com/FasterXML/jackson-databind/issues/2097	2023-11-07
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHBA-2019:0959	2023-11-07
https://access.redhat.com/errata/RHSA-2019:0782	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1106	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1107	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1108	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1140	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1822	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1823	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2858	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3149	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3892	2023-11-07
https://access.redhat.com/errata/RHSA-2019:4037	2023-11-07
https://www.debian.org/security/2019/dsa-4452	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-14720	2021-05-06
https://bugzilla.redhat.com/show_bug.cgi?id=1666423	2021-05-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.6.0 < 2.6.7.2 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 < 2.6.7.2"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.7.0 < 2.7.9.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.5"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.8.0 < 2.8.11.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.3"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.9.0 < 2.9.7 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.7"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc3		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.8.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"		rc1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.8.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"		rc2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr3		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr4		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.5.0 Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.0 Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.1 Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				7.5 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				12.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.2.2 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.2"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.2.3 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.3"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.3.1 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.3.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.2 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.2"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.3 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.3"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.4 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.4"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.5 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.5"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.6 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.6"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.7 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.7"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.1.3.0.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.1.3.0.0"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.1 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.1 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				15.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				16.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"		-		Affected