CVE-2017-15095

critical

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

References

https://access.redhat.com/errata/RHSA-2017:3189

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0478

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:0576

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:1447

https://access.redhat.com/errata/RHSA-2018:1448

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://github.com/FasterXML/jackson-databind/issues/1680

https://github.com/FasterXML/jackson-databind/issues/1737

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

https://security.netapp.com/advisory/ntap-20171214-0003/

https://www.debian.org/security/2017/dsa-4037

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securitytracker.com/id/1039769

Details

Source: Mitre, NVD

Published: 2018-02-06

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical