CVE-2018-14720

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

References

Affected packages

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type: GIT
Repo: https://github.com/fasterxml/jackson-databind
Events: Introduced

21f90cf247018c1286cc20544029782450dc270a

Fixed

fab5c3877f7b8ae28a8e3a14d805bc9dcc8c153d

Introduced

50791cc7856376949287e0be3e96147665ab8f68

Fixed

2723191696b098f9b7566a5094a932baf5f7563e

Introduced

81929fad84189ce59ef82e7a6d0df795eb0c7cdb

Fixed

71c8143d4b1e2696b27d10cc969b22248e1ab6b6

Introduced

e969f0a31b781f5dfb74e16ddd5ee4b4fa36e8d8

Fixed

b36c8ac5d8cfce192059fc7c278766e685bf8a6c

Affected versions

jackson-databind-2.*

jackson-databind-2.5.5

jackson-databind-2.6.0

jackson-databind-2.6.1

jackson-databind-2.6.2

jackson-databind-2.6.3

jackson-databind-2.6.4

jackson-databind-2.6.5

jackson-databind-2.6.6

jackson-databind-2.6.7

jackson-databind-2.6.7.1

jackson-databind-2.7.0

jackson-databind-2.7.0-rc1

jackson-databind-2.7.0-rc2

jackson-databind-2.7.0-rc3

jackson-databind-2.7.1

jackson-databind-2.7.1-1

jackson-databind-2.7.2

jackson-databind-2.7.3

jackson-databind-2.7.4

jackson-databind-2.7.5

jackson-databind-2.7.6

jackson-databind-2.7.7

jackson-databind-2.7.8

jackson-databind-2.7.9

jackson-databind-2.7.9.1

jackson-databind-2.7.9.2

jackson-databind-2.7.9.3

jackson-databind-2.7.9.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-14720.json"