CVE-2018-14721 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 92%

Vendor	Product	Version
fasterxml	jackson-databind	2.6.0 ≤ 𝑥 < 2.6.7.2
fasterxml	jackson-databind	2.7.0 ≤ 𝑥 < 2.7.9.5
fasterxml	jackson-databind	2.8.0 ≤ 𝑥 < 2.8.11.3
fasterxml	jackson-databind	2.9.0 ≤ 𝑥 < 2.9.7
fasterxml	jackson-databind	2.7.0:rc1
fasterxml	jackson-databind	2.7.0:rc2
fasterxml	jackson-databind	2.7.0:rc3
fasterxml	jackson-databind	2.8.0:rc1
fasterxml	jackson-databind	2.8.0:rc2
fasterxml	jackson-databind	2.9.0:pr1
fasterxml	jackson-databind	2.9.0:pr2
fasterxml	jackson-databind	2.9.0:pr3
fasterxml	jackson-databind	2.9.0:pr4
debian	debian_linux	8.0
debian	debian_linux	9.0
oracle	banking_platform	2.5.0
oracle	banking_platform	2.6.0
oracle	banking_platform	2.6.1
oracle	banking_platform	2.6.2
oracle	communications_billing_and_revenue_management	7.5
oracle	communications_billing_and_revenue_management	12.0
oracle	enterprise_manager_for_virtualization	13.2.2
oracle	enterprise_manager_for_virtualization	13.2.3
oracle	enterprise_manager_for_virtualization	13.3.1
oracle	financial_services_analytical_applications_infrastructure	8.0.2
oracle	financial_services_analytical_applications_infrastructure	8.0.3
oracle	financial_services_analytical_applications_infrastructure	8.0.4
oracle	financial_services_analytical_applications_infrastructure	8.0.5
oracle	financial_services_analytical_applications_infrastructure	8.0.6
oracle	financial_services_analytical_applications_infrastructure	8.0.7
oracle	jdeveloper	12.1.3.0.0
oracle	jdeveloper	12.2.1.3.0
oracle	primavera_unifier	17.1 ≤ 𝑥 ≤ 17.12
oracle	primavera_unifier	16.1
oracle	primavera_unifier	16.2
oracle	primavera_unifier	18.8
oracle	retail_merchandising_system	15.0
oracle	retail_merchandising_system	16.0
oracle	webcenter_portal	12.2.1.3.0
redhat	jboss_enterprise_application_platform	7.2.0
redhat	openshift_container_platform	3.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jackson-databind

bullseye	2.12.1-1+deb11u1 fixed
bullseye (security)	2.12.1-1+deb11u1 fixed
sid	2.14.0-1 fixed
trixie	2.14.0-1 fixed
bookworm	2.14.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

jackson-databind

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	not-affected
cosmic	ignored
bionic	not-affected
xenial	Fixed 2.4.2-3ubuntu0.1~esm2 released
trusty	needed

Common Weakness Enumeration

CWE-918 - Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References

https://access.redhat.com/errata/RHBA-2019:0959

https://access.redhat.com/errata/RHSA-2019:0782

https://access.redhat.com/errata/RHSA-2019:1106

https://access.redhat.com/errata/RHSA-2019:1107

https://access.redhat.com/errata/RHSA-2019:1108

https://access.redhat.com/errata/RHSA-2019:1140

https://access.redhat.com/errata/RHSA-2019:1822

https://access.redhat.com/errata/RHSA-2019:1823

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4037

https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

https://github.com/FasterXML/jackson-databind/issues/2097

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

https://seclists.org/bugtraq/2019/May/68

https://security.netapp.com/advisory/ntap-20190530-0003/

https://www.debian.org/security/2019/dsa-4452

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://access.redhat.com/errata/RHBA-2019:0959

https://access.redhat.com/errata/RHSA-2019:0782

https://access.redhat.com/errata/RHSA-2019:1106

https://access.redhat.com/errata/RHSA-2019:1107

https://access.redhat.com/errata/RHSA-2019:1108

https://access.redhat.com/errata/RHSA-2019:1140

https://access.redhat.com/errata/RHSA-2019:1822

https://access.redhat.com/errata/RHSA-2019:1823

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4037

https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

https://github.com/FasterXML/jackson-databind/issues/2097

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

https://seclists.org/bugtraq/2019/May/68

https://security.netapp.com/advisory/ntap-20190530-0003/

https://www.debian.org/security/2019/dsa-4452

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html