Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-14720

Опубликовано: 27 июл. 2018
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Отчет

Red Hat Satellite 6 is not affected by this issue, since its only supported Java runtime (openJDK) doesn't bundle the com.sun.deploy.security.ruleset.DRSHelper class. Red Hat Enterprise Virtualization 4 is not affected by this issue, since its only supported Java runtime (openJDK) doesn't bundle the com.sun.deploy.security.ruleset.DRSHelper class.

Меры по смягчению последствий

The following conditions are needed for an exploit, we recommend avoiding all if possible

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindWill not fix
Red Hat Enterprise Linux 8jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss BRMS 6jackson-databindWill not fix
Red Hat JBoss Data Virtualization 6jackson-databindWill not fix
Red Hat JBoss Enterprise Application Platform 6jackson-databindNot affected
Red Hat JBoss Enterprise Application Platform Continuous Deliveryjackson-databindAffected
Red Hat JBoss Fuse 6jackson-databindWill not fix
Red Hat JBoss Fuse Integration Service 2jackson-databindWill not fix
Red Hat JBoss Operations Network 3Core ServerNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502->CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=1666423jackson-databind: exfiltration/XXE in some JDK classes

EPSS

Процентиль: 87%
0.03256
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-14720

CVSS3: 9.8
ubuntu
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

nvd логотип

CVE-2018-14720

CVSS3: 9.8
nvd
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

debian логотип

CVE-2018-14720

CVSS3: 9.8
debian
около 7 лет назад

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to c ...

github логотип

GHSA-x2w5-5m2g-7h5m

CVSS3: 9.8
github
около 7 лет назад

XML External Entity Reference (XXE) in jackson-databind

fstec логотип

BDU:2019-01756

CVSS3: 9.8
fstec
больше 7 лет назад

Уязвимость библиотеки jackson-databind, связанная с ошибкой ограничения XML-ссылок на внешние объекты, позволяющая нарушителю осуществить XXE-атаку

EPSS

Процентиль: 87%
0.03256
Низкий

7.5 High

CVSS3