CVE-2018-14720

CRITICAL

FasterXML Jackson <2.9.7 - SSRF

Title source: llm

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-14720-jackson-databind-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-14720-jackson-databind-vulnerable

View Code ZIP pw:eip

References (32)

[Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

[Issue Tracking, Patch, Third Party Advisory] https://github.com/FasterXML/jackson-databind/issues/2097

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

[Patch, Release Notes, Third Party Advisory] https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

[Mailing List] https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

[Mailing List] https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0782

[Third Party Advisory] https://access.redhat.com/errata/RHBA-2019:0959

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1107

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1108

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1106

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1140

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4452

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/May/68

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20190530-0003/

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

... and 12 more

Scores

CVSS v3 9.8

EPSS 0.0335

EPSS Percentile 87.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502 CWE-611

Status published

Products (33)

com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.7Maven

debian/debian_linux 8.0

debian/debian_linux 9.0

fasterxml/jackson-databind 2.7.0 rc1 (3 CPE variants)

fasterxml/jackson-databind 2.8.0 rc1 (2 CPE variants)

fasterxml/jackson-databind 2.9.0 pr1 (4 CPE variants)

fasterxml/jackson-databind 2.6.0 - 2.6.7.2

oracle/banking_platform 2.5.0

oracle/banking_platform 2.6.0

oracle/banking_platform 2.6.1

... and 23 more

Published Jan 02, 2019

Tracked Since Feb 18, 2026