PT-2018-2764 · Fasterxml+2 · Jackson-Databind+2

Publicado

2018-08-17

Atualizado

2021-03-15

CVE-2018-14720

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x prior to 2.9.7

Description The issue is related to an error in restricting XML external entity references, which can be exploited by a remote attacker to conduct an XML External Entity (XXE) attack using polymorphic deserialization. This can be achieved by leveraging the failure to block unspecified JDK classes from polymorphic deserialization.

Recommendations For FasterXML jackson-databind versions 2.x prior to 2.9.7, update to version 2.9.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of polymorphic deserialization to minimize the risk of exploitation.

Exploit

Correção

Deserialization of Untrusted Data

XXE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-611

Identificadores relacionados

ALT-PU-2019-2262

BDU:2019-01756

CVE-2018-14720

DLA-1703-1

DSA-4452-1

GHSA-X2W5-5M2G-7H5M

RHSA-2019:0782

RHSA-2019:1107

RHSA-2019:1108

USN-4813-1

Produtos afetados

Alt Linux

Ubuntu

Jackson-Databind

PT-2018-2764 · Fasterxml+2 · Jackson-Databind+2

CVE-2018-14720

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 109