CVE-2018-14721: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block…

critical10CVSS 3.0

AVNACLPRNUINSCCHIHAH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Affected

41 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.8-1 (bookworm)	jackson-databind 2.9.8-1 (bookworm)
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.9.8-1	2.9.8-1
fasterxml	jackson-databind	>= 0 < 2.4.2-3ubuntu0.1~esm2	2.4.2-3ubuntu0.1~esm2
fasterxml	jackson-databind	>= 2.6.0 < 2.6.7.2	2.6.7.2
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.5	2.7.9.5
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11.3	2.8.11.3
fasterxml	jackson-databind	>= 2.9.0 < 2.9.7	2.9.7
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	financial_services_analytical_applications_infrastructure	—	—

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

osv10.0CRITICAL