CVE-2018-14721

Current Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Basic Data

PublishedJanuary 02, 2019
Last ModifiedSeptember 27, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-918
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score10.0
CVSS 3 - Base SeverityCRITICAL
Exploitability Score3.9
Base SeverityCRITICAL

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationFasterxmlJackson-databind********2.6.02.6.7.2
    2.3ApplicationFasterxmlJackson-databind********2.7.02.7.9.5
    2.3ApplicationFasterxmlJackson-databind2.7.0rc1******
    2.3ApplicationFasterxmlJackson-databind2.7.0rc2******
    2.3ApplicationFasterxmlJackson-databind2.7.0rc3******
    2.3ApplicationFasterxmlJackson-databind********2.8.02.8.11.3
    2.3ApplicationFasterxmlJackson-databind2.8.0rc1******
    2.3ApplicationFasterxmlJackson-databind2.8.0rc2******
    2.3ApplicationFasterxmlJackson-databind********2.9.02.9.7
    2.3ApplicationFasterxmlJackson-databind2.9.0pr1******
    2.3ApplicationFasterxmlJackson-databind2.9.0pr2******
    2.3ApplicationFasterxmlJackson-databind2.9.0pr3******
    2.3ApplicationFasterxmlJackson-databind2.9.0pr4******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleBanking Platform2.5.0*******
    2.3ApplicationOracleBanking Platform2.6.0*******
    2.3ApplicationOracleBanking Platform2.6.1*******
    2.3ApplicationOracleBanking Platform2.6.2*******
    2.3ApplicationOracleCommunications Billing And Revenue Management7.5*******
    2.3ApplicationOracleCommunications Billing And Revenue Management12.0*******
    2.3ApplicationOracleEnterprise Manager For Virtualization13.2.2*******
    2.3ApplicationOracleEnterprise Manager For Virtualization13.2.3*******
    2.3ApplicationOracleEnterprise Manager For Virtualization13.3.1*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.2*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.3*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.4*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.5*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.6*******
    2.3ApplicationOracleFinancial Services Analytical Applications Infrastructure8.0.7*******
    2.3ApplicationOracleJdeveloper12.1.3.0.0*******
    2.3ApplicationOracleJdeveloper12.2.1.3.0*******
    2.3ApplicationOraclePrimavera Unifier16.1*******
    2.3ApplicationOraclePrimavera Unifier16.2*******
    2.3ApplicationOraclePrimavera Unifier********17.117.12
    2.3ApplicationOraclePrimavera Unifier18.8*******
    2.3ApplicationOracleRetail Merchandising System15.0*******
    2.3ApplicationOracleRetail Merchandising System16.0*******
    2.3ApplicationOracleWebcenter Portal12.2.1.3.0*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatJboss Enterprise Application Platform7.2.0*******
    2.3ApplicationRedhatOpenshift Container Platform3.11*******

Vulnerable Software List

VendorProductVersions
Fasterxml Jackson-databind *, 2.7.0, 2.8.0, 2.9.0
Debian Debian Linux 8.0, 9.0
Redhat Jboss Enterprise Application Platform 7.2.0
Redhat Openshift Container Platform 3.11
Oracle Financial Services Analytical Applications Infrastructure 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
Oracle Webcenter Portal 12.2.1.3.0
Oracle Jdeveloper 12.1.3.0.0, 12.2.1.3.0
Oracle Communications Billing And Revenue Management 12.0, 7.5
Oracle Primavera Unifier *, 16.1, 16.2, 18.8
Oracle Retail Merchandising System 15.0, 16.0
Oracle Banking Platform 2.5.0, 2.6.0, 2.6.1, 2.6.2
Oracle Enterprise Manager For Virtualization 13.2.2, 13.2.3, 13.3.1

References

NameSourceURLTags
RHBA-2019:0959https://access.redhat.com/errata/RHBA-2019:0959REDHATThird Party Advisory
RHSA-2019:0782https://access.redhat.com/errata/RHSA-2019:0782REDHATThird Party Advisory
RHSA-2019:1106https://access.redhat.com/errata/RHSA-2019:1106REDHATThird Party Advisory
RHSA-2019:1107https://access.redhat.com/errata/RHSA-2019:1107REDHATThird Party Advisory
RHSA-2019:1108https://access.redhat.com/errata/RHSA-2019:1108REDHATThird Party Advisory
RHSA-2019:1140https://access.redhat.com/errata/RHSA-2019:1140REDHATThird Party Advisory
RHSA-2019:1822https://access.redhat.com/errata/RHSA-2019:1822REDHATThird Party Advisory
RHSA-2019:1823https://access.redhat.com/errata/RHSA-2019:1823REDHATThird Party Advisory
RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:2858REDHAT
RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3149REDHAT
RHSA-2019:3892https://access.redhat.com/errata/RHSA-2019:3892REDHAT
RHSA-2019:4037https://access.redhat.com/errata/RHSA-2019:4037REDHAT
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7CONFIRMPatch Release Notes Third Party Advisory
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44CONFIRMPatch Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2097https://github.com/FasterXML/jackson-databind/issues/2097CONFIRMIssue Tracking Patch Third Party Advisory
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitieshttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3CdevMLIST
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitieshttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3CdevMLIST
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitieshttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3CissMLIST
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3CcomMLISTThird Party Advisory
[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security updatehttps://lists.debian.org/debian-lts-announce/2019/03/msg00005.htmlMLISTMailing List Third Party Advisory
20190527 [SECURITY] [DSA 4452-1] jackson-databind security updatehttps://seclists.org/bugtraq/2019/May/68BUGTRAQMailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/CONFIRMThird Party Advisory
DSA-4452https://www.debian.org/security/2019/dsa-4452DEBIANThird Party Advisory
N/Ahttps://www.oracle.com/security-alerts/cpuapr2020.htmlN/A
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlMISCPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlCONFIRMPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMISCPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMISC