CVE-2018-14719

CRITICAL

FasterXML jackson-databind 2.0.0-2.6.7.2 - Remote Code Execution via BlazeDS Polymorphic Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-14719. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository appears to be a partial or incomplete copy of the Jackson Databind library, lacking any exploit code or technical analysis specific to CVE-2018-14719. It includes only a subset of source files and a generic README that describes the library's usage without addressing the vulnerability.

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-14719-jackson-databind-vulnerable

This repository appears to be a partial or incomplete copy of the Jackson Databind library, lacking any exploit code or technical analysis specific to CVE-2018-14719. It includes only a subset of source files and a generic README that describes the library's usage without addressing the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: Jackson Databind (versions affected by CVE-2018-14719)
No auth needed
Prerequisites: None identified, as no exploit code is present
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-14719-jackson-databind-vulnerable

This repository contains a detailed technical writeup and source code for Jackson Databind, focusing on the vulnerability context of CVE-2018-14719. It includes extensive documentation on usage, configuration, and integration, but lacks explicit exploit code or direct demonstration of the vulnerability.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Jackson Databind (versions 2.x)
No auth needed
Prerequisites: Presence of vulnerable Jackson Databind version · Ability to send crafted JSON payloads to the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (31)

Core 31
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/2097
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0782
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0877
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0959
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4452
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/68
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190530-0003/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1782
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1797
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1822
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1823
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2804
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3002
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3140
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3892
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4037
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html

Scores

CVSS v3 9.8
EPSS 0.0346
EPSS Percentile 87.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (48)
com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.7Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind 2.0.0 - 2.6.7.3
netapp/oncommand_workflow_automation
netapp/snapcenter
netapp/steelstore_cloud_integrated_storage
oracle/banking_platform 2.5.0
oracle/banking_platform 2.6.0
oracle/banking_platform 2.6.1
... and 38 more
Published Jan 02, 2019
Tracked Since Feb 18, 2026