FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
History
19 Jan 2021, 15:51
Type | Values Removed | Values Added |
---|---|---|
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:2858 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:3149 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:3892 - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory | |
CPE | cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:* cpe:2.3:a:fasterxml:jackson:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_operations_network:3.3.10:*:*:*:*:*:*:* |
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* |
Information
Published : 2018-01-10 18:29
Updated : 2023-12-10 12:15
NVD link : CVE-2017-17485
Mitre link : CVE-2017-17485
CVE.ORG link : CVE-2017-17485
JSON object : View
Products Affected
debian
- debian_linux
netapp
- oncommand_shift
- e-series_santricity_web_services_proxy
- e-series_santricity_os_controller
- snapcenter
fasterxml
- jackson-databind
redhat
- enterprise_linux_server
- openshift_container_platform
- jboss_enterprise_application_platform
CWE
CWE-502
Deserialization of Untrusted Data