CVE-2018-14720
CRITICALFasterXML Jackson <2.9.7 - SSRF
Title source: llmDescription
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Exploits (2)
nomisec
STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-14720-jackson-databind-vulnerable
nomisec
STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-14720-jackson-databind-vulnerable
References (32)
... and 12 more
Scores
CVSS v3
9.8
EPSS
0.0335
EPSS Percentile
87.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
CWE-611
Status
published
Affected Products (39)
fasterxml/jackson-databind
< 2.6.7.2
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
fasterxml/jackson-databind
debian/debian_linux
debian/debian_linux
oracle/banking_platform
oracle/banking_platform
oracle/banking_platform
... and 24 more
Timeline
Published
Jan 02, 2019
Tracked Since
Feb 18, 2026