#VU17776 Server-Side Request Forgery (SSRF) in jackson-databind


Published: 2019-02-19

Vulnerability identifier: #VU17776

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-14721

CWE-ID: CWE-918

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation
Update to version 2.9.7.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.6


CPE

External links
http://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
http://github.com/FasterXML/jackson-databind/issues/2097
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability