CVE-2017-15095: A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Affected

51 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.1-1 (bookworm)	jackson-databind 2.9.1-1 (bookworm)
debian	libjackson-json-java	< jackson-databind 2.9.1-1 (bookworm)	jackson-databind 2.9.1-1 (bookworm)
fasterxml	jackson-databind	—	—
fasterxml	jackson-databind	>= 0 < 2.9.1-1	2.9.1-1
fasterxml	jackson-databind	>= 0 < 2.9.1-1	2.9.1-1
fasterxml	jackson-databind	>= 0 < 2.9.1-1	2.9.1-1
fasterxml	jackson-databind	>= 0 < 2.9.1-1	2.9.1-1
fasterxml	jackson-databind	>= 2.0.0 < 2.6.7.2	2.6.7.2
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.2	2.7.9.2
fasterxml	jackson-databind	>= 2.8.0 < 2.8.10	2.8.10
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	clusterware	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_diameter_signaling_router	< 8.3	8.3
oracle	communications_instant_messaging_server	—	—
oracle	database_server	—	—
oracle	database_server	—	—
oracle	enterprise_manager_for_virtualization	—	—
oracle	enterprise_manager_for_virtualization	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL