View all vulnerabilities

CVE-2017-7525

jackson-databind is vulnerable to a deserialization flaw

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
com.fasterxml.jackson.core:jackson-databind < 2.6.7.1; com.fasterxml.jackson.core:jackson-databind >= 2.7.0 < 2.7.9.1; com.fasterxml.jackson.core:jackson-databind >= 2.8.0 < 2.8.9
Severity
Ecosystem
Publish Date
October 16, 2018
Modified Date
March 11, 2024