// For flags

CVE-2018-14721

jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class

Severity Score

10.0
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos realizar ataques de SSRF (Server-Side Request Forgery) aprovechando un fallo para bloquear la clase axis2-ext de deserialización polimórfica.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-07-28 CVE Reserved
  • 2019-01-02 CVE Published
  • 2024-07-28 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (31)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.6.0 < 2.6.7.2
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.6.0 < 2.6.7.2"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.7.0 < 2.7.9.5
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.5"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.8.0 < 2.8.11.3
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.11.3"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.9.0 < 2.9.7
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.9.0 < 2.9.7"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.7.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"
rc1
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.7.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"
rc2
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.7.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.7.0"
rc3
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.8.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"
rc1
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.8.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.8.0"
rc2
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
pr1
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
pr2
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
pr3
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
pr4
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.5.0
Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.0
Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.1
Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.2
Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Billing And Revenue Management
Search vendor "Oracle" for product "Communications Billing And Revenue Management"
7.5
Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Billing And Revenue Management
Search vendor "Oracle" for product "Communications Billing And Revenue Management"
12.0
Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.2.2
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.2"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.2.3
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.3"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.3.1
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.2
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.2"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.3
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.4
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.4"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.5
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.5"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.6
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.6"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.7
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.7"
-
Affected
Oracle
Search vendor "Oracle"
Jdeveloper
Search vendor "Oracle" for product "Jdeveloper"
12.1.3.0.0
Search vendor "Oracle" for product "Jdeveloper" and version "12.1.3.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Jdeveloper
Search vendor "Oracle" for product "Jdeveloper"
12.2.1.3.0
Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
>= 17.1 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.1 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.1
Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.2
Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
15.0
Search vendor "Oracle" for product "Retail Merchandising System" and version "15.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
16.0
Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"
-
Affected
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.2.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected