CVE-2017-17485: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Affected

22 ranges

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.9.4-1 (bookworm)	jackson-databind 2.9.4-1 (bookworm)
fasterxml	jackson-databind	< 2.6.7.3	2.6.7.3
fasterxml	jackson-databind	>= 0 < 2.9.4-1	2.9.4-1
fasterxml	jackson-databind	>= 0 < 2.9.4-1	2.9.4-1
fasterxml	jackson-databind	>= 0 < 2.9.4-1	2.9.4-1
fasterxml	jackson-databind	>= 0 < 2.9.4-1	2.9.4-1
fasterxml	jackson-databind	>= 2.0.0 < 2.6.7.3	2.6.7.3
fasterxml	jackson-databind	>= 2.7.0 < 2.7.9.2	2.7.9.2
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11	2.8.11
fasterxml	jackson-databind	>= 2.8.0 < 2.8.11.1	2.8.11.1
fasterxml	jackson-databind	>= 2.9.0 < 2.9.4	2.9.4
netapp	e-series_santricity_os_controller	11.0.0 – 11.60.3	—
redhat	jboss_enterprise_application_platform	—	—
redhat	jboss_enterprise_application_platform	—	—
redhat	jboss_enterprise_application_platform	—	—
redhat	jboss_enterprise_application_platform	—	—
redhat	openshift_container_platform	—	—
redhat	openshift_container_platform	—	—
redhat	virtualization	—	—
redhat	virtualization_host	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL