Lucene search

K
githubGitHub Advisory DatabaseGHSA-X2W5-5M2G-7H5M
HistoryJan 04, 2019 - 7:09 p.m.

XML External Entity Reference (XXE) in jackson-databind

2019-01-0419:09:46
CWE-502
CWE-611
GitHub Advisory Database
github.com
200
fasterxml
jackson-databind
xxe
xml entity attacks
jdk classes
polymorphic deserialization

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

82.2%

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Affected configurations

Vulners
Node
com.fasterxml.jackson.corejackson-databindRange2.7.02.7.9.2
OR
com.fasterxml.jackson.corejackson-databindRange2.8.02.8.11.2
OR
com.fasterxml.jackson.corejackson-databindRange2.9.02.9.7
VendorProductVersionCPE
com.fasterxml.jackson.corejackson-databind*cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:*:*:*:*:*:*:*:*

References

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

82.2%