Seal Security

CVE-2017-15095

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

9.8

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Versions

com.fasterxml.jackson.core:jackson-databind >= 2.8.0 < 2.8.11; com.fasterxml.jackson.core:jackson-databind >= 2.9.0 < 2.9.4; com.fasterxml.jackson.core:jackson-databind >= 2.0.0 < 2.6.7.3; com.fasterxml.jackson.core:jackson-databind >= 2.7.0 < 2.7.9.2

Severity

Ecosystem

Publish Date

October 18, 2018

Modified Date

March 14, 2024