FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
{ "vanir_signatures": [ { "id": "CVE-2018-14718-0a79e837", "signature_type": "Line", "target": { "file": "src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java" }, "digest": { "line_hashes": [ "79952291775016737143195858008202576427", "65868810977220990246538512710163055999", "294756175790215291265040331230795220529" ], "threshold": 0.9 }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/fasterxml/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" } ] }