CVE-2017-7525

CWE-184 CWE-502 — Deserialization of Untrusted Data CWE-20 — Improper Input Validation24 documents8 sources

Severity

9.8CRITICAL

EPSS

79.3%

top 0.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Oracle Communications Diameter Signaling Route Oracle Global Lifecycle Management Opatchauto +14 more

Timeline

PublishedFeb 6

Latest updateMay 24

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages19 packages

▶NVDfasterxml/jackson-databind2.7.0 — 2.7.9.1+3

▶Mavencom.fasterxml.jackson.core:jackson-databind2.7.0 — 2.7.9.1+2

▶Debianjackson-databind< 2.9.1-1+3

▶CVEListV5fasterxml/jackson-databindbefore 2.6.7.1, before 2.7.9.1, before 2.8.9+2

▶Debianlibjackson-json-java< 1.9.13-2+3

Also affects: Debian Linux 8.0, 9.0, Openshift Container Platform 3.11, 4.1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl↗2022-05-24

▶

GHSA

Deserialization of Untrusted Data in jackson-databind↗2020-06-30

▶

GHSA

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution↗2018-10-18

▶

GHSA

jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass↗2018-10-18

▶

OSV

jackson-databind is vulnerable to a deserialization flaw↗2018-10-16

▶

📋Vendor Advisories

Ubuntu

Jackson vulnerabilities↗2021-02-18

▶

Red Hat

codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-09-30

▶

Red Hat

jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)↗2017-11-02

▶

Red Hat

jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper↗2017-07-14

▶

Debian

CVE-2017-7525: jackson-databind - A deserialization flaw was discovered in the jackson-databind, versions before 2...↗2017

▶

💬Community

Bugzilla

CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-07-18

▶

Bugzilla

CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries↗2018-02-26

▶

Bugzilla

CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries [fedora-all]↗2018-02-26

▶

Bugzilla

CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)↗2018-01-24

▶

Bugzilla

CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) [fedora-all]↗2018-01-24

▶