CVE-2017-15095

Опубликовано: 06 фев. 2018

Источник: ubuntu

Приоритет: medium

EPSS Низкий

CVSS2: 7.5

CVSS3: 9.8

Описание

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Релиз	Статус	Примечание
artful	released	2.8.6-1+deb9u2build0.17.10.1
bionic	not-affected	2.9.1-1
cosmic	not-affected	2.9.1-1
devel	not-affected	2.9.1-1
disco	not-affected	2.9.1-1
eoan	not-affected	2.9.1-1
esm-apps/bionic	not-affected	2.9.1-1
esm-apps/focal	not-affected	2.9.1-1
esm-apps/jammy	not-affected	2.9.1-1
esm-apps/noble	not-affected	2.9.1-1

Показывать по

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needs-triage
devel	not-affected	1.9.13-2
esm-apps/bionic	needs-triage
esm-apps/focal	needs-triage
esm-apps/jammy	not-affected	1.9.13-2
esm-apps/noble	not-affected	1.9.13-2
esm-apps/xenial	released	1.9.2-7ubuntu0.2
esm-infra-legacy/trusty	released	1.9.2-3+deb8u1build0.14.04.1~esm1
focal	ignored	end of standard support, was needs-triage
groovy	ignored	end of life

Показывать по

Ссылки на источники

EPSS

Процентиль: 93%

0.09261

Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3

Связанные уязвимости

CVE-2017-15095

CVSS3: 8.1

redhat

больше 8 лет назад

CVE-2017-15095

CVSS3: 9.8

nvd

около 8 лет назад

CVE-2017-15095

CVSS3: 9.8

debian

около 8 лет назад

A deserialization flaw was discovered in the jackson-databind in versi ...

GHSA-h592-38cm-4ggp

CVSS3: 9.8

github

больше 7 лет назад

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

EPSS

Процентиль: 93%

0.09261

Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3

CVE-2017-15095

Описание

Пакет jackson-databind

Пакет libjackson-json-java

Ссылки на источники

Связанные уязвимости