CVE-2018-14720: FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK…

critical9.8CVSS 3.0

AVNACLPRNUINSUCHIHAH

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Affected

41 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.8-1 (bookworm)	jackson-databind 2.9.8-1 (bookworm)
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	>= 2.6.0 < 2.6.7.2	2.6.7.2
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.5	2.7.9.5
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11.3	2.8.11.3
fasterxml	jackson-databind	>= 2.9.0 < 2.9.7	2.9.7
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	financial_services_analytical_applications_infrastructure	—	—

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL