CVE-2018-14718: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Affected

60 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.8-1 (bookworm)	jackson-databind 2.9.8-1 (bookworm)
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	>= 2.0.0 < 2.6.7.3	2.6.7.3
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.5	2.7.9.5
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11.3	2.8.11.3
fasterxml	jackson-databind	>= 2.9.0 < 2.9.7	2.9.7
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	business_process_management_suite	—	—
oracle	business_process_management_suite	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_instant_messaging_server	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	financial_services_analytical_applications_infrastructure	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL