CVE-2018-14719

9.8

CRITICAL

FasterXML Jackson-databind Deserialization RCE Vulnerability

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

INFO

Published Date :

Jan. 2, 2019, 6:29 p.m.

Last Modified :

Nov. 7, 2023, 2:53 a.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9 Public PoC/Exploit Available at Github

CVE-2018-14719 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2018-14719 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product
1	Oracle	primavera_unifier
2	Oracle	database_server
3	Oracle	primavera_p6_enterprise_project_portfolio_management
4	Oracle	communications_billing_and_revenue_management
5	Oracle	business_process_management_suite
6	Oracle	webcenter_portal
7	Oracle	retail_merchandising_system
8	Oracle	banking_platform
9	Oracle	jdeveloper
10	Oracle	financial_services_analytical_applications_infrastructure
11	Oracle	enterprise_manager_for_virtualization
12	Oracle	clusterware
13	Oracle	global_lifecycle_management_opatch
14	Oracle	retail_workforce_management_software
1	Netapp	oncommand_workflow_automation
2	Netapp	snapcenter
3	Netapp	steelstore_cloud_integrated_storage
1	Debian	debian_linux
1	Redhat	openshift_container_platform
1	Fasterxml	jackson-databind

: Total Affected Vendor : 5 | Products : 20

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2018-14719.

URL	Resource
https://access.redhat.com/errata/RHBA-2019:0959	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0782	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0877	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1782	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1797	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1822	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1823	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2804	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2858	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3002	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3140	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3149	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4037	Third Party Advisory
https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44	Patch Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2097	Patch Third Party Advisory
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7	Patch Release Notes Third Party Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html	Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/May/68	Issue Tracking Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190530-0003/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4452	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

seal-community/patches

A centralized repository of standalone security patches for open source libraries.

appsec backport cve devsecops fix hotfix open-source patch protection remediation seal security update upgrade vulnerability

Updated: 2 months, 3 weeks ago

182 stars 0 fork 0 watcher

Born at : July 30, 2023, 4:46 p.m. This repo has been linked 265 different CVEs too.

PalindromeLabs/Java-Deserialization-CVEs

Compiled dataset of Java deserialization CVEs

java-deserialization deserialization cve security

Updated: 4 months ago

60 stars 4 fork 4 watcher

Born at : July 22, 2020, 1:10 p.m. This repo has been linked 308 different CVEs too.

ilmari666/cybsec

Cyber Securiy MOOC Unsecure project

Java HTML

Updated: 2 years, 2 months ago

1 stars 1 fork 1 watcher

Born at : Dec. 29, 2019, 12:57 p.m. This repo has been linked 70 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2018-14719 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2018-14719 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

CVE Modified by [email protected]

May. 14, 2024

Action Type Old Value New Value

CVE Modified by [email protected]

Nov. 07, 2023

Action	Type	Old Value	New Value
Added	Reference		MITRE https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E [No types assigned]
Added	Reference		MITRE https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E [No types assigned]
Added	Reference		MITRE https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E [No types assigned]
Added	Reference		MITRE https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E [No types assigned]
Added	Reference		MITRE https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E [No types assigned]
Removed	Reference	MITRE https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
Removed	Reference	MITRE https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Removed	Reference	MITRE https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
Removed	Reference	MITRE https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
Removed	Reference	MITRE https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

Reanalysis by [email protected]

Sep. 13, 2023

Action	Type	Old Value	New Value
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory
Changed	CPE Configuration	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.6.0 up to (excluding) 2.6.7.2 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.7.0 up to (excluding) 2.7.9.5 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.8.0 up to (excluding) 2.8.11.3 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.9.0 up to (excluding) 2.9.7	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.0.0 up to (excluding) 2.6.7.3 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.7.0 up to (excluding) 2.7.9.5 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.8.0 up to (excluding) 2.8.11.3 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.9.0 up to (excluding) 2.9.7

Modified Analysis by [email protected]

May. 21, 2021

CVE Modified by [email protected]

Aug. 31, 2020

Action	Type	Old Value	New Value
Added	Reference		https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E [No Types Assigned]

CVE Modified by [email protected]

Apr. 15, 2020

Action Type Old Value New Value

Added Reference https://www.oracle.com/security-alerts/cpuapr2020.html [No Types Assigned]
CVE Modified by [email protected]

Dec. 02, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:4037 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.oracle.com/security-alerts/cpuapr2020.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:4037 [No Types Assigned]

CVE Modified by [email protected]

Nov. 15, 2019

Action	Type	Old Value	New Value
Added	Reference		https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E [No Types Assigned]
Added	Reference		https://access.redhat.com/errata/RHSA-2019:3892 [No Types Assigned]

CVE Modified by [email protected]

Oct. 21, 2019

Action Type Old Value New Value

Added Reference https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E [No Types Assigned]
CVE Modified by [email protected]

Oct. 18, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:3149 [No Types Assigned]
CVE Modified by [email protected]

Oct. 17, 2019

Action Type Old Value New Value

Added Reference https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E [No Types Assigned]
CVE Modified by [email protected]

Oct. 17, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:3140 [No Types Assigned]
CVE Modified by [email protected]

Oct. 16, 2019

Action Type Old Value New Value

Added Reference https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html [No Types Assigned]
CVE Modified by [email protected]

Oct. 10, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:3002 [No Types Assigned]
CVE Modified by [email protected]

Sep. 27, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:2858 [No Types Assigned]
CVE Modified by [email protected]

Sep. 17, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:2804 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:3149 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:3140 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:3002 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:2858 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:2804 [No Types Assigned]

Modified Analysis by [email protected]

Aug. 21, 2019

Action	Type	Old Value	New Value
Changed	Reference Type	https://access.redhat.com/errata/RHBA-2019:0959 No Types Assigned	https://access.redhat.com/errata/RHBA-2019:0959 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:1782 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:1782 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:1797 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:1797 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:1822 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:1822 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:1823 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:1823 Third Party Advisory
Changed	Reference Type	https://seclists.org/bugtraq/2019/May/68 No Types Assigned	https://seclists.org/bugtraq/2019/May/68 Mailing List, Third Party Advisory
Changed	Reference Type	https://security.netapp.com/advisory/ntap-20190530-0003/ No Types Assigned	https://security.netapp.com/advisory/ntap-20190530-0003/ Third Party Advisory
Changed	Reference Type	https://www.debian.org/security/2019/dsa-4452 No Types Assigned	https://www.debian.org/security/2019/dsa-4452 Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory
Changed	CPE Configuration	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.0.0 up to (excluding) 2.9.7	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.6.0 up to (excluding) 2.6.7.2 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.7.0 up to (excluding) 2.7.9.5 cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2::::::* cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3::::::* cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.8.0 up to (excluding) 2.8.11.3 cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc2::::::* cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.9.0 up to (excluding) 2.9.7 cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr2::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr3::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr4::::::*
Changed	CPE Configuration	OR cpe:2.3:o:debian:debian_linux:8.0:::::::	OR cpe:2.3:o:debian:debian_linux:8.0::::::: cpe:2.3:o:debian:debian_linux:9.0:::::::
Added	CPE Configuration		OR cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::

CVE Modified by [email protected]

Jul. 23, 2019

Action Type Old Value New Value

Added Reference https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html [No Types Assigned]

CVE Modified by [email protected]

Jul. 22, 2019

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:1823 [No Types Assigned]
Added	Reference		https://access.redhat.com/errata/RHSA-2019:1822 [No Types Assigned]

CVE Modified by [email protected]

Jul. 16, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:1797 [No Types Assigned]
CVE Modified by [email protected]

Jul. 15, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:1782 [No Types Assigned]
CVE Modified by [email protected]

May. 30, 2019

Action Type Old Value New Value

Added Reference https://security.netapp.com/advisory/ntap-20190530-0003/ [No Types Assigned]
CVE Modified by [email protected]

May. 27, 2019

Action Type Old Value New Value

Added Reference https://seclists.org/bugtraq/2019/May/68 [No Types Assigned]
CVE Modified by [email protected]

May. 25, 2019

Action Type Old Value New Value

Added Reference https://www.debian.org/security/2019/dsa-4452 [No Types Assigned]
CVE Modified by [email protected]

May. 07, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHBA-2019:0959 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:1797 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:1782 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://security.netapp.com/advisory/ntap-20190530-0003/ [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://seclists.org/bugtraq/2019/May/68 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.debian.org/security/2019/dsa-4452 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHBA-2019:0959 [No Types Assigned]

Modified Analysis by [email protected]

Apr. 26, 2019

Action	Type	Old Value	New Value
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:0877 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:0877 Third Party Advisory
Changed	CPE Configuration	OR cpe:2.3:a:oracle:banking_platform:2.5.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.1::::::: cpe:2.3:a:oracle:banking_platform:2.6.2::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7::::::: cpe:2.3:a:oracle:primavera_unifier:16.1::::::: cpe:2.3:a:oracle:primavera_unifier:16.2::::::: cpe:2.3:a:oracle:primavera_unifier::::::::* versions from (including) 17.1 up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:18.8::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::	OR cpe:2.3:a:oracle:banking_platform:2.5.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.1::::::: cpe:2.3:a:oracle:banking_platform:2.6.2::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7::::::: cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0::::::: cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0::::::: cpe:2.3:a:oracle:primavera_unifier:16.1::::::: cpe:2.3:a:oracle:primavera_unifier:16.2::::::: cpe:2.3:a:oracle:primavera_unifier::::::::* versions from (including) 17.1 up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:18.8::::::: cpe:2.3:a:oracle:retail_merchandising_system:15.0::::::: cpe:2.3:a:oracle:retail_merchandising_system:16.0::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::

CVE Modified by [email protected]

Apr. 24, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:0877 [No Types Assigned]
CVE Modified by [email protected]

Apr. 23, 2019

Action Type Old Value New Value

Added Reference https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:0877 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html [No Types Assigned]

Modified Analysis by [email protected]

Apr. 23, 2019

Action	Type	Old Value	New Value
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:0782 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:0782 Third Party Advisory
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html Third Party Advisory	https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E Third Party Advisory
Added	CPE Configuration		OR cpe:2.3:a:oracle:banking_platform:2.5.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.1::::::: cpe:2.3:a:oracle:banking_platform:2.6.2::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7::::::: cpe:2.3:a:oracle:primavera_unifier:16.1::::::: cpe:2.3:a:oracle:primavera_unifier:16.2::::::: cpe:2.3:a:oracle:primavera_unifier::::::::* versions from (including) 17.1 up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:18.8::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::

CVE Modified by [email protected]

Apr. 18, 2019

Action Type Old Value New Value

Added Reference https://access.redhat.com/errata/RHSA-2019:0782 [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/errata/RHSA-2019:0782 [No Types Assigned]

CVE Modified by [email protected]

Apr. 16, 2019

Action	Type	Old Value	New Value
Added	Reference		https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E [No Types Assigned]

Modified Analysis by [email protected]

Mar. 08, 2019

Action	Type	Old Value	New Value
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html No Types Assigned	https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory
Added	CPE Configuration		OR cpe:2.3:o:debian:debian_linux:8.0:::::::

CVE Modified by [email protected]

Mar. 05, 2019

Action Type Old Value New Value

Added Reference https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html [No Types Assigned]
CVE Modified by [email protected]

Jan. 16, 2019

Action Type Old Value New Value

Added Reference https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html [No Types Assigned]

Action	Type	Old Value	New Value
Added	Reference		https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html [No Types Assigned]

Initial Analysis by [email protected]

Jan. 10, 2019

Action	Type	Old Value	New Value
Added	CVSS V2		(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Added	CVSS V3		AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed	Reference Type	https://github.com/FasterXML/jackson-databind/issues/2097 No Types Assigned	https://github.com/FasterXML/jackson-databind/issues/2097 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 No Types Assigned	https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7 No Types Assigned	https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7 Patch, Release Notes, Third Party Advisory
Added	CWE		CWE-502
Added	CPE Configuration		OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.0.0 up to (excluding) 2.9.7

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2018-14719 is associated with the following CWEs:

CWE-502: Deserialization of Untrusted Data

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2018-14719 weaknesses.

CAPEC-586: Object Injection Object Injection

Action	Type	Old Value	New Value
Removed	CVSS V3	NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:2804 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:2804 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:2858 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:2858 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:3002 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:3002 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:3140 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:3140 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:3149 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:3149 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:3892 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2019:4037 No Types Assigned	https://access.redhat.com/errata/RHSA-2019:4037 Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E Third Party Advisory	https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E Mailing List, Third Party Advisory
Changed	Reference Type	https://seclists.org/bugtraq/2019/May/68 Mailing List, Third Party Advisory	https://seclists.org/bugtraq/2019/May/68 Issue Tracking, Mailing List, Third Party Advisory
Changed	Reference Type	https://www.oracle.com/security-alerts/cpuapr2020.html No Types Assigned	https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Third Party Advisory
Changed	CPE Configuration	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.6.0 up to (excluding) 2.6.7.2 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.7.0 up to (excluding) 2.7.9.5 cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2::::::* cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3::::::* cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.8.0 up to (excluding) 2.8.11.3 cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc2::::::* cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.9.0 up to (excluding) 2.9.7 cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr1::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr2::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr3::::::* cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr4::::::*	OR cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.6.0 up to (excluding) 2.6.7.2 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.7.0 up to (excluding) 2.7.9.5 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.8.0 up to (excluding) 2.8.11.3 cpe:2.3:a:fasterxml:jackson-databind::::::::* versions from (including) 2.9.0 up to (excluding) 2.9.7
Changed	CPE Configuration	OR cpe:2.3:a:oracle:banking_platform:2.5.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.1::::::: cpe:2.3:a:oracle:banking_platform:2.6.2::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7::::::: cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0::::::: cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0::::::: cpe:2.3:a:oracle:primavera_unifier:16.1::::::: cpe:2.3:a:oracle:primavera_unifier:16.2::::::: cpe:2.3:a:oracle:primavera_unifier::::::::* versions from (including) 17.1 up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:18.8::::::: cpe:2.3:a:oracle:retail_merchandising_system:15.0::::::: cpe:2.3:a:oracle:retail_merchandising_system:16.0::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::	OR cpe:2.3:a:oracle:banking_platform:2.5.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.0::::::: cpe:2.3:a:oracle:banking_platform:2.6.1::::::: cpe:2.3:a:oracle:banking_platform:2.6.2::::::: cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0::::::: cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0::::::: cpe:2.3:a:oracle:clusterware:12.1.0.2.0::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0::::::: cpe:2.3:a:oracle:database_server:11.2.0.4::::::: cpe:2.3:a:oracle:database_server:12.1.0.2::::::: cpe:2.3:a:oracle:database_server:12.2.0.1::::::: cpe:2.3:a:oracle:database_server:18c::::::: cpe:2.3:a:oracle:database_server:19c::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3::::::: cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7::::::: cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::* versions up to (excluding) 11.2.0.3.23 cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::* versions from (including) 12.2.0.1.0 up to (excluding) 12.2.0.1.19 cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::* versions from (including) 13.9.4.0.0 up to (excluding) 13.9.4.2.1 cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0::::::: cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0::::::: cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1::::::: cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2::::::: cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1::::::: cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2::::::: cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::* versions from (including) 17.7 up to (including) 17.12 cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8::::::: cpe:2.3:a:oracle:primavera_unifier:16.1::::::: cpe:2.3:a:oracle:primavera_unifier:16.2::::::: cpe:2.3:a:oracle:primavera_unifier::::::::* versions from (including) 17.7 up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:18.8::::::: cpe:2.3:a:oracle:retail_merchandising_system:15.0::::::: cpe:2.3:a:oracle:retail_merchandising_system:16.0::::::: cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0::::::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::
Changed	CPE Configuration	OR cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::	OR cpe:2.3:a:redhat:openshift_container_platform::::::::* versions from (including) 3.11 up to (excluding) 3.11.153 cpe:2.3:a:redhat:openshift_container_platform::::::::* versions from (including) 4.6 up to (excluding) 4.6.26
Added	CPE Configuration		AND OR cpe:2.3:a:redhat:openshift_container_platform::::::::* versions from (including) 4.1 up to (excluding) 4.1.18 OR cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
Added	CPE Configuration		OR cpe:2.3:a:netapp:oncommand_workflow_automation:-::::::: cpe:2.3:a:netapp:snapcenter:-::::::: cpe:2.3:a:netapp:steelstore_cloud_integrated_storage::::::::*

CVE-2018-14719

FasterXML Jackson-databind Deserialization RCE Vulnerability

Description

INFO

Jan. 2, 2019, 6:29 p.m.

Nov. 7, 2023, 2:53 a.m.

[email protected]

Yes !

5.9

3.9

Public PoC/Exploit Available at Github

Affected Products

References to Advisories, Solutions, and Tools

seal-community/patches

PalindromeLabs/Java-Deserialization-CVEs

ilmari666/cybsec

CVE Modified by [email protected]

CVE Modified by [email protected]

Reanalysis by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Initial Analysis by [email protected]

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit Prediction

1.00 }} -0.27%

0.83790

CVSS31 - Vulnerability Scoring System

Theme Customizer

Layout

Vertical

Horizontal

Two Column

Color Scheme

Light

Dark

Layout Width

Fluid

Boxed

Layout Position

Topbar Color

Light

Dark

Sidebar Size

Default

Compact

Small (Icon View)

Small Hover View

Sidebar View

Default

Detached