Описание
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | released | 2.8.6-1+deb9u3build0.17.10.1 |
| bionic | not-affected | 2.9.4-1 |
| cosmic | not-affected | 2.9.4-1 |
| devel | not-affected | 2.9.4-1 |
| disco | not-affected | 2.9.4-1 |
| eoan | not-affected | 2.9.4-1 |
| esm-apps/bionic | not-affected | 2.9.4-1 |
| esm-apps/focal | not-affected | 2.9.4-1 |
| esm-apps/jammy | not-affected | 2.9.4-1 |
| esm-apps/xenial | released | 2.4.2-3ubuntu0.1~esm1 |
Показывать по
EPSS
6.8 Medium
CVSS2
8.1 High
CVSS3
Связанные уязвимости
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allo ...
Deserialization of Untrusted Data in jackson-databind
Уязвимость библиотеки Jackson-databind, связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код
EPSS
6.8 Medium
CVSS2
8.1 High
CVSS3