CVE-2018-14720 : What You Need to Know

FasterXML jackson-databind 2.x before 2.9.7 is susceptible to external XML entity (XXE) attacks due to a vulnerability in polymorphic deserialization.

Understanding CVE-2018-14720

This CVE involves a security issue in FasterXML jackson-databind that could allow unauthorized individuals to execute XXE attacks.

What is CVE-2018-14720?

The vulnerability in FasterXML jackson-databind 2.x before 2.9.7 enables attackers to exploit XXE attacks by leveraging the failure to block unspecified JDK classes during polymorphic deserialization.

The Impact of CVE-2018-14720

The vulnerability could lead to unauthorized execution of external XML entity (XXE) attacks, potentially compromising the security and integrity of the system.

Technical Details of CVE-2018-14720

FasterXML jackson-databind 2.x before 2.9.7 is affected by this vulnerability.

Vulnerability Description

The issue arises from the failure to prevent the usage of unspecified JDK classes during polymorphic deserialization, allowing for XXE attacks.

Affected Systems and Versions

Product: Not applicable
Vendor: Not applicable
Versions affected: 2.x

Exploitation Mechanism

Attackers can exploit this vulnerability by manipulating the polymorphic deserialization process to execute XXE attacks.

Mitigation and Prevention

To address CVE-2018-14720, follow these steps:

Immediate Steps to Take

Update FasterXML jackson-databind to version 2.9.7 or later.
Implement strict input validation to prevent malicious XML entity exploitation.

Long-Term Security Practices

Regularly monitor for security advisories and updates related to FasterXML jackson-databind.
Conduct security assessments and audits to identify and mitigate similar vulnerabilities.

Patching and Updates

Apply patches and updates provided by FasterXML to address the vulnerability in jackson-databind.