9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-14718

GHSA ID

GHSA-645p-88qh-w398

EPSS Score

0.94161%

CWE

CWE-502

Published

1/4/2019

Updated

9/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-14718

CVE-2018-14718: Arbitrary Code Execution in jackson-databind

FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-14718

GHSA ID

GHSA-645p-88qh-w398

EPSS Score

0.94161%

CWE

CWE-502

Published

1/4/2019

Updated

9/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.9.0, < 2.9.7	2.9.7
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.8.0, <= 2.8.11.2	2.8.11.3
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.7.0, <= 2.7.9.4	2.7.9.5
com.fasterxml.jackson.core:jackson-databind	maven	>= 2.0.0, < 2.6.7.3	2.6.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch modifies the BeanDeserializerFactory class to block 'org.slf4j.ext.EventData' from polymorphic deserialization, indicating this class was previously not blocked and is now mitigated. The deserialization process, potentially handled by methods within or related to BeanDeserializerFactory, is the key area of vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**st*rXML j**kson-**t**in* *.x ***or* *.*.*, *.*.**.*, *.*.*.*, *n* *.*.*.* mi**t *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** *y l*v*r**in* **ilur* to *lo*k t** sl**j-*xt *l*ss *rom polymorp*i* **s*ri*liz*tion.

Reasoning

T** p*t** mo*i*i*s t** `***n**s*ri*liz*r***tory` *l*ss to *lo*k 'or*.sl**j.*xt.*v*nt**t*' *rom polymorp*i* **s*ri*liz*tion, in*i**tin* t*is *l*ss w*s pr*viously not *lo*k** *n* is now miti**t**. T** **s*ri*liz*tion `pro**ss`, pot*nti*lly **n*l** *y m

9.8

Basic Information

Concerned about an active attack path?

CVE-2018-14718: Arbitrary Code Execution in jackson-databind

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI