CVE-2018-14720 : FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by levera

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Published 2019-01-02 18:29:00

Updated 2020-08-31 14:15:14

Source MITRE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Exploit prediction scoring system (EPSS) score for CVE-2018-14720

Probability of exploitation activity in the next 30 days: 1.02%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-14720

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-14720

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-14720

https://access.redhat.com/errata/RHSA-2019:0782

RHSA-2019:0782 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020

CVEs referencing this url
https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E

[jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jacks
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Page not found | Oracle

CVEs referencing this url
https://seclists.org/bugtraq/2019/May/68

Bugtraq: [SECURITY] [DSA 4452-1] jackson-databind security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:4037

RHSA-2019:4037 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Oracle Critical Patch Update - July 2019
Patch;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4452

Debian -- Security Information -- DSA-4452-1 jackson-databind
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1107

RHSA-2019:1107 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E

[jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jacks
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Jackson Release 2.9.7 · FasterXML/jackson Wiki · GitHub
Patch;Release Notes;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/issues/2097

Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721) · Issue #2097 · FasterXML/jackson-databind · GitHub
Issue Tracking;Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1823

RHSA-2019:1823 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3149

RHSA-2019:3149 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E

Pony Mail!

CVEs referencing this url
https://access.redhat.com/errata/RHBA-2019:0959

RHBA-2019:0959 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Oracle Critical Patch Update - April 2019
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190530-0003/

May 2019 FasterXML jackson-databind Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1140

RHSA-2019:1140 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

Pony Mail!

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Critical Patch Update - January 2019
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

Fix #2097 for 2.6.7.2 · FasterXML/jackson-databind@87d29af · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3892

RHSA-2019:3892 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2858

RHSA-2019:2858 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1822

RHSA-2019:1822 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1106

RHSA-2019:1106 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

[SECURITY] [DLA 1703-1] jackson-databind security update
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1108

RHSA-2019:1108 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail

CVEs referencing this url

Products affected by CVE-2018-14720

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.2.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Oracle » Jdeveloper » Version: 12.1.3.0.0
cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Jdeveloper » Version: 12.2.1.3.0
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.1
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.5.0
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier
Versions from including (>=) 17.1 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 18.8
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.1
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.2
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 16.0
cpe:2.3:a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 15.0
cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.2
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.3
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.4
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.6
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.7
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 7.5
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 12.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.2
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.3
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.3.1
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.7.0 and before (<) 2.7.9.5
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.6.0 and before (<) 2.6.7.2
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.9.0 and before (<) 2.9.7
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.8.0 and before (<) 2.8.11.3
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC1
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC2
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR1
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr1:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR2
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR3
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr3:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update PR4
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr4:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.8.0 Update RC2
cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.7.0 Update RC3
cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.8.0 Update RC1
cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc1:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2018-14720

Exploit prediction scoring system (EPSS) score for CVE-2018-14720

CVSS scores for CVE-2018-14720

CWE ids for CVE-2018-14720

References for CVE-2018-14720

Products affected by CVE-2018-14720