FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
https://access.redhat.com/errata/RHBA-2019:0959 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0782 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1106 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1107 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1108 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1140 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1822 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1823 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2858 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3149 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3892 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4037 cve-icon cve-icon
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 cve-icon cve-icon
https://github.com/FasterXML/jackson-databind/issues/2097 cve-icon cve-icon
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7 cve-icon cve-icon
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-14720 cve-icon
https://seclists.org/bugtraq/2019/May/68 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190530-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-14720 cve-icon
https://www.debian.org/security/2019/dsa-4452 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T09:38:13.593Z

Reserved: 2018-07-28T00:00:00

Link: CVE-2018-14720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-01-02T18:29:00.467

Modified: 2024-11-21T03:49:40.270

Link: CVE-2018-14720

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-07-27T00:00:00Z

Links: CVE-2018-14720 - Bugzilla

cve-icon OpenCVE Enrichment

No data.