CVE-2018-14718

CRITICAL

FasterXML Jackson <2.9.7 - Code Injection

Title source: llm

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-14718-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-14718-jackson-databind-vulnerable

View Code ZIP pw:eip

References (35)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

[Mailing List] https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0782

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106601

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0877

[Third Party Advisory] https://access.redhat.com/errata/RHBA-2019:0959

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4452

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/May/68

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1782

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1797

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1822

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1823

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2804

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2858

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3002

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3140

[Mailing List] https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3149

... and 15 more

Scores

CVSS v3 9.8

EPSS 0.1452

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (50)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.7Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

fasterxml/jackson-databind 2.0.0 - 2.6.7.3

netapp/oncommand_workflow_automation

netapp/snapcenter

netapp/steelstore_cloud_integrated_storage

oracle/banking_platform 2.5.0

oracle/banking_platform 2.6.0

oracle/banking_platform 2.6.1

... and 40 more

Published Jan 02, 2019

Tracked Since Feb 18, 2026