Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2018-14720

Disclosure Date: January 02, 2019
CVE-2018-14720
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fasterxml,
  • oracle,
  • redhat

Products

  • banking platform 2.5.0,
  • banking platform 2.6.0,
  • banking platform 2.6.1,
  • banking platform 2.6.2,
  • communications billing and revenue management 12.0,
  • communications billing and revenue management 7.5,
  • debian linux 8.0,
  • debian linux 9.0,
  • enterprise manager for virtualization 13.2.2,
  • enterprise manager for virtualization 13.2.3,
  • enterprise manager for virtualization 13.3.1,
  • financial services analytical applications infrastructure 8.0.2,
  • financial services analytical applications infrastructure 8.0.3,
  • financial services analytical applications infrastructure 8.0.4,
  • financial services analytical applications infrastructure 8.0.5,
  • financial services analytical applications infrastructure 8.0.6,
  • financial services analytical applications infrastructure 8.0.7,
  • jackson-databind,
  • jackson-databind 2.7.0,
  • jackson-databind 2.8.0,
  • jackson-databind 2.9.0,
  • jboss enterprise application platform 7.2.0,
  • jdeveloper 12.1.3.0.0,
  • jdeveloper 12.2.1.3.0,
  • openshift container platform 3.11,
  • primavera unifier,
  • primavera unifier 16.1,
  • primavera unifier 16.2,
  • primavera unifier 18.8,
  • retail merchandising system 15.0,
  • retail merchandising system 16.0,
  • webcenter portal 12.2.1.3.0

References

Canonical
CVE-2018-14720 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720)
Advisory
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
https://github.com/FasterXML/jackson-databind/issues/2097
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update (https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html)
[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... (https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E)
[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... (https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E)
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 (https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E)
[lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... (https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E)
https://access.redhat.com/errata/RHSA-2019:0782
https://access.redhat.com/errata/RHBA-2019:0959
https://access.redhat.com/errata/RHSA-2019:1107
https://access.redhat.com/errata/RHSA-2019:1108
https://access.redhat.com/errata/RHSA-2019:1106
https://access.redhat.com/errata/RHSA-2019:1140
DSA-4452 (https://www.debian.org/security/2019/dsa-4452)
20190527 [SECURITY] [DSA 4452-1] jackson-databind security update (https://seclists.org/bugtraq/2019/May/68)
https://security.netapp.com/advisory/ntap-20190530-0003
https://access.redhat.com/errata/RHSA-2019:1822
https://access.redhat.com/errata/RHSA-2019:1823
https://access.redhat.com/errata/RHSA-2019:2858
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities (https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E)
https://access.redhat.com/errata/RHSA-2019:3149
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E)
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E)
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:4037
[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 (https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E)
Miscellaneous
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpuapr2020.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis