Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2017-15095

Опубликовано: 06 фев. 2018
Источник: debian
EPSS Низкий

Описание

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
jackson-databindfixed2.9.1-1package
libjackson-json-javafixed1.9.13-2package
libjackson-json-javafixed1.9.13-2~deb10u1busterpackage

Примечания

  • The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)

  • misses the further sets of blacklists, in particular as well

  • https://github.com/FasterXML/jackson-databind/commit/3bfbb835

  • which was already for CVE-2017-7525 but then the further tickets and patches

  • to block more dangerous types (at leas they are):

  • https://github.com/FasterXML/jackson-databind/issues/1680

  • https://github.com/FasterXML/jackson-databind/issues/1723

  • https://github.com/FasterXML/jackson-databind/issues/1737

  • https://github.com/FasterXML/jackson-databind/commit/e8f043d1

  • https://github.com/FasterXML/jackson-databind/commit/ddfddfba

  • This CVE-2017-15095 should be considered to include everything in

  • NO_DESER_CLASS_NAMES as of:

  • https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43

  • Details: https://www.openwall.com/lists/oss-security/2017/11/02/3

  • For libjackson-json-java:

  • https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31

EPSS

Процентиль: 93%
0.09261
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2017-15095

CVSS3: 9.8
ubuntu
около 8 лет назад

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

redhat логотип

CVE-2017-15095

CVSS3: 8.1
redhat
больше 8 лет назад

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

nvd логотип

CVE-2017-15095

CVSS3: 9.8
nvd
около 8 лет назад

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

github логотип

GHSA-h592-38cm-4ggp

CVSS3: 9.8
github
больше 7 лет назад

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

EPSS

Процентиль: 93%
0.09261
Низкий