CVE-2018-14721

jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class

Severity Score

10.0

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos realizar ataques de SSRF (Server-Side Request Forgery) aprovechando un fallo para bloquear la clase axis2-ext de deserialización polimórfica.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.4.0 serves as an update to Red Hat Decision Manager 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and deserialization vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-07-28 CVE Reserved
2019-01-02 CVE Published
2024-08-05 CVE Updated
2025-07-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)
CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (31)

URL	Tag	Source
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html	Mailing List
https://seclists.org/bugtraq/2019/May/68	Mailing List
https://security.netapp.com/advisory/ntap-20190530-0003	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44	2023-11-07
https://github.com/FasterXML/jackson-databind/issues/2097	2023-11-07
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHBA-2019:0959	2023-11-07
https://access.redhat.com/errata/RHSA-2019:0782	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1106	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1107	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1108	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1140	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1822	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1823	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2858	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3149	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3892	2023-11-07
https://access.redhat.com/errata/RHSA-2019:4037	2023-11-07
https://www.debian.org/security/2019/dsa-4452	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-14721	2021-05-06
https://bugzilla.redhat.com/show_bug.cgi?id=1666428	2021-05-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.6.0 < 2.6.7.2 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 < 2.6.7.2"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.7.0 < 2.7.9.5 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.5"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.8.0 < 2.8.11.3 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.3"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.9.0 < 2.9.7 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.7"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.7.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"		rc3		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.8.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"		rc1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.8.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"		rc2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr1		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr2		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr3		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				2.9.0 Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"		pr4		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.5.0 Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.0 Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.1 Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				7.5 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				12.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.2.2 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.2"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.2.3 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.3"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager For Virtualization Search vendor "Oracle" for product "Enterprise Manager For Virtualization"				13.3.1 Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.3.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.2 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.2"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.3 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.3"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.4 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.4"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.5 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.5"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.6 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.6"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.0.7 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.7"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.1.3.0.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.1.3.0.0"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.1 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.1 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				15.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				16.0 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"		-		Affected