CVE-2018-14721 : FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to cond

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Published 2019-01-02 18:29:01

Updated 2020-08-31 14:15:14

Source MITRE

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF)

Products affected by CVE-2018-14721

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.2.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Oracle » Jdeveloper » Version: 12.1.3.0.0
cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Jdeveloper » Version: 12.2.1.3.0
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.1
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.5.0
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier
Versions from including (>=) 17.1 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 18.8
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.1
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.2
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 16.0
cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 15.0
cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.2
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.3
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.4
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.6
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.7
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 7.5
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 12.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.2
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.3
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.3.1
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.7.0 and before (<) 2.7.9.5
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.6.0 and before (<) 2.6.7.2
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.9.0 and before (<) 2.9.7
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.8.0 and before (<) 2.8.11.3
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC1
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC2
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR1
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr1:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR2
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR3
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr3:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR4
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr4:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.8.0 Update RC2
cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC3
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.8.0 Update RC1
cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-14721

EPSS FAQ

9.90%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-14721

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-14721

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-14721

https://access.redhat.com/errata/RHSA-2019:0782

RHSA-2019:0782 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Page not found | Oracle

CVEs referencing this url
https://seclists.org/bugtraq/2019/May/68

Bugtraq: [SECURITY] [DSA 4452-1] jackson-databind security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:4037

RHSA-2019:4037 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Oracle Critical Patch Update - July 2019
Patch;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4452

Debian -- Security Information -- DSA-4452-1 jackson-databind
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1107

RHSA-2019:1107 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Jackson Release 2.9.7 · FasterXML/jackson Wiki · GitHub
Patch;Release Notes;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/issues/2097

Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721) · Issue #2097 · FasterXML/jackson-databind · GitHub
Issue Tracking;Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1823

RHSA-2019:1823 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3149

RHSA-2019:3149 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 - Pony Mail
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

Pony Mail!

CVEs referencing this url
https://access.redhat.com/errata/RHBA-2019:0959

RHBA-2019:0959 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Oracle Critical Patch Update - April 2019
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190530-0003/

May 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1140

RHSA-2019:1140 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

Pony Mail!

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Critical Patch Update - January 2019
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

Fix #2097 for 2.6.7.2 · FasterXML/jackson-databind@87d29af · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3892

RHSA-2019:3892 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2858

RHSA-2019:2858 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1822

RHSA-2019:1822 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1106

RHSA-2019:1106 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

[SECURITY] [DLA 1703-1] jackson-databind security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1108

RHSA-2019:1108 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-14721

Products affected by CVE-2018-14721

Exploit prediction scoring system (EPSS) score for CVE-2018-14721

CVSS scores for CVE-2018-14721

CWE ids for CVE-2018-14721

References for CVE-2018-14721