CVE-2017-15095

UNKNOWN

Published 2018-02-06T15:00:00Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-15095. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

FasterXML

jackson-databind

Affected Versions:

before 2.8.10 before 2.9.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

GHSA-h592-38cm-4ggp

Advisory Details

jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

ECOSYSTEM: ≥2.8.0 <2.8.11

Maven com.fasterxml.jackson.core:jackson-databind

ECOSYSTEM: ≥2.9.0 <2.9.4

Maven com.fasterxml.jackson.core:jackson-databind

ECOSYSTEM: ≥2.0.0 <2.6.7.3

Maven com.fasterxml.jackson.core:jackson-databind

ECOSYSTEM: ≥2.7.0 <2.7.9.2

CVSS Scoring

CVSS Score

9.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-15095

WEB https://github.com/FasterXML/jackson-databind/issues/1680

WEB https://github.com/FasterXML/jackson-databind/issues/1737

WEB https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b

WEB https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db

WEB https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92

WEB https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b

WEB https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935

WEB https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b

WEB https://access.redhat.com/errata/RHSA-2017:3189

WEB https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E

WEB https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

WEB https://security.netapp.com/advisory/ntap-20171214-0003

WEB https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880

WEB https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769

WEB https://www.debian.org/security/2017/dsa-4037

WEB https://www.oracle.com/security-alerts/cpuoct2020.html

WEB https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

WEB https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

WEB https://access.redhat.com/errata/RHSA-2017:3190

WEB https://access.redhat.com/errata/RHSA-2018:0342

WEB https://access.redhat.com/errata/RHSA-2018:0478

WEB https://access.redhat.com/errata/RHSA-2018:0479

WEB https://access.redhat.com/errata/RHSA-2018:0480

WEB https://access.redhat.com/errata/RHSA-2018:0481

WEB https://access.redhat.com/errata/RHSA-2018:0576

WEB https://access.redhat.com/errata/RHSA-2018:0577

WEB https://access.redhat.com/errata/RHSA-2018:1447

WEB https://access.redhat.com/errata/RHSA-2018:1448

WEB https://access.redhat.com/errata/RHSA-2018:1449

WEB https://access.redhat.com/errata/RHSA-2018:1450

WEB https://access.redhat.com/errata/RHSA-2018:1451

WEB https://access.redhat.com/errata/RHSA-2018:2927

WEB https://access.redhat.com/errata/RHSA-2019:2858

WEB https://access.redhat.com/errata/RHSA-2019:3149

WEB https://access.redhat.com/errata/RHSA-2019:3892

PACKAGE https://github.com/FasterXML/jackson-databind

WEB http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

WEB http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

WEB http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Advisory provided by GitHub Security Advisory Database. Published: October 18, 2018, Modified: March 15, 2024

References

https://access.redhat.com/errata/RHSA-2018:1448

http://www.securityfocus.com/bid/103880

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:0576

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2017:3189

https://access.redhat.com/errata/RHSA-2018:2927

http://www.securitytracker.com/id/1039769

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:1447

https://access.redhat.com/errata/RHSA-2018:0478

https://www.debian.org/security/2017/dsa-4037

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://security.netapp.com/advisory/ntap-20171214-0003/

https://github.com/FasterXML/jackson-databind/issues/1737

https://github.com/FasterXML/jackson-databind/issues/1680

Published: 2018-02-06T15:00:00Z

Last Modified: 2024-09-16T22:57:07.488Z

Copied to clipboard!

CVE-2017-15095

Expert Analysis

Description

Available Exploits

Related News

Affected Products

jackson-databind

Affected Versions:

GitHub Security Advisories

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!