CVE-2017-15095

CRITICALImmediate

Published:Feb 6, 2018(8 years ago)

Modified:Nov 21, 2024

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
fasterxml	jackson-databind	2.0.0 - 2.6.7.2	-
fasterxml	jackson-databind	2.7.0 - 2.7.9.2	-
fasterxml	jackson-databind

Timeline

Published
CVE disclosed publicly
Feb 6, 20188 years ago
Last Modified
Most recent update
Nov 21, 20241 year ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067...Patch
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247...Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296...Patch

CVSS Score

v3.1

9.8/ 10.0

CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

At a Glance

Affected Products

References

fasterxml / jackson-databind

http://www.securityfocus.com/bid/103880Third Party Advisory

http://www.securitytracker.com/id/1039769Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3189Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3190Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0478Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0479Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0480Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0481Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0576Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0577Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1448Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1451Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory

https://github.com/FasterXML/jackson-databind/issues/1680Issue Tracking

https://github.com/FasterXML/jackson-databind/issues/1737Issue Tracking

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d3...

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlMailing List

https://security.netapp.com/advisory/ntap-20171214-0003/Third Party Advisory

https://www.debian.org/security/2017/dsa-4037Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-507280...Patch

https://www.oracle.com/technetwork/security-advisory/cpujul2019-507283...Patch

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067...Patch

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247...Patch

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296...Patch