CVE-2018-14720

CRITICAL

FasterXML jackson-databind 2.6.0-2.6.7.1 - XML External Entity Injection via Polymorphic Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-14720. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository appears to be a partial or incomplete copy of the Jackson Databind library, lacking any exploit code or technical analysis specific to CVE-2018-14720. It includes only a subset of source files and a generic README that describes the library's usage without addressing the vulnerability.

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-14720-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository appears to be a partial or incomplete copy of the Jackson Databind library, lacking any exploit code or technical analysis specific to CVE-2018-14720. It includes only a subset of source files and a generic README that describes the library's usage without addressing the vulnerability.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Jackson Databind (versions affected by CVE-2018-14720)

No auth needed

Prerequisites: None identified in the repository

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-14720-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository appears to be a partial or incomplete copy of the Jackson Databind library, lacking any exploit code or technical analysis specific to CVE-2018-14720. The README is a generic guide for using Jackson Databind, not a PoC or writeup.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Theoretical

Target: Jackson Databind (version unclear, likely 2.x)

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (32)

Core 32

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

View Patch ZIP pw:eip

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/FasterXML/jackson-databind/issues/2097

Patch, Third Party Advisory x_refsource_confirm

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch, Release Notes, Third Party Advisory x_refsource_confirm

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0782

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHBA-2019:0959

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1107

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1108

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1106

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1140

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4452

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/May/68

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190530-0003/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1822

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1823

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2858

Vendor Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3149

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3892

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:4037

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0335

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502 CWE-611

Status published

Products (33)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.7Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

fasterxml/jackson-databind 2.7.0 rc1 (3 CPE variants)

fasterxml/jackson-databind 2.8.0 rc1 (2 CPE variants)

fasterxml/jackson-databind 2.9.0 pr1 (4 CPE variants)

fasterxml/jackson-databind 2.6.0 - 2.6.7.2

oracle/banking_platform 2.5.0

oracle/banking_platform 2.6.0

oracle/banking_platform 2.6.1

... and 23 more

Published Jan 02, 2019

Tracked Since Feb 18, 2026