Vulnerability CVE-2018-14719


Published: 2019-01-02

Description:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Oracle
Product: Financial services analytical applications infrastructure 
Version:
8.0.7
8.0.6
8.0.5
8.0.4
8.0.3
8.0.2
See more versions on NVD
Product: Communications billing and revenue management 
Version: 7.5;
Product: Banking platform 
Version:
2.6.2
2.6.1
2.6.0
2.5.0
See more versions on NVD
Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: Fasterxml
Product: Jackson-databind 
Version:
2.9.6
2.9.5
2.9.4
2.9.3
2.9.2
2.9.1
2.9.0
2.8.9
2.8.8.1
2.8.8
2.8.7
2.8.6
2.8.5
2.8.4
2.8.3
2.8.2
2.8.11.3
2.8.11.2
2.8.11.1
2.8.11
2.8.10
2.8.1
2.8.0
2.7.9.5
2.7.9.4
2.7.9.3
2.7.9.2
2.7.9.1
2.7.9
2.7.8
2.7.7
2.7.6
2.7.5
2.7.4
2.7.3
2.7.2
2.7.1-1
2.7.1
2.7.0
2.6.7.2
2.6.7.1
2.6.7
2.6.6
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.5
2.5.4
2.5.3
2.5.2
2.5.1
2.5.0
2.4.6.1
2.4.6
2.4.5.1
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1.3
2.4.1.2
2.4.1.1
2.4.1
2.4.0
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.6
2.0.5
2.0.4
2.0.2
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://access.redhat.com/errata/RHBA-2019:0959
https://access.redhat.com/errata/RHSA-2019:0782
https://access.redhat.com/errata/RHSA-2019:0877
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
https://github.com/FasterXML/jackson-databind/issues/2097
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Related CVE
CVE-2019-12086
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja...
CVE-2018-12023
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provid...
CVE-2018-12022
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in ...
CVE-2018-19362
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-19361
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-19360
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-14721
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Copyright 2019, cxsecurity.com

 

Back to Top