Lucene search

K
redhatcveRedhat.comRH:CVE-2018-14720
HistoryApr 09, 2020 - 12:16 p.m.

CVE-2018-14720

2020-04-0912:16:41
redhat.com
access.redhat.com
11

EPSS

0.011

Percentile

84.1%

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Mitigation

The following conditions are needed for an exploit, we recommend avoiding all if possible

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`