PT-2018-2764 · Fasterxml+2 · Jackson-Databind+2

Published

2018-08-17

Updated

2021-03-15

CVE-2018-14720

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x prior to 2.9.7

Description The issue is related to an error in restricting XML external entity references, which can be exploited by a remote attacker to conduct an XML External Entity (XXE) attack using polymorphic deserialization. This can be achieved by leveraging the failure to block unspecified JDK classes from polymorphic deserialization.

Recommendations For FasterXML jackson-databind versions 2.x prior to 2.9.7, update to version 2.9.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of polymorphic deserialization to minimize the risk of exploitation.

Exploit

Fix

Deserialization of Untrusted Data

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-611

Related Identifiers

ALT-PU-2019-2262

BDU:2019-01756

CVE-2018-14720

DLA-1703-1

DSA-4452-1

GHSA-X2W5-5M2G-7H5M

RHSA-2019:0782

RHSA-2019:1107

RHSA-2019:1108

USN-4813-1

Affected Products

Alt Linux

Ubuntu

Jackson-Databind

PT-2018-2764 · Fasterxml+2 · Jackson-Databind+2

CVE-2018-14720

Weakness Enumeration

Related Identifiers

Affected Products

References · 109