CVE-2017-15095

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

Description

jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

Score Vector

Affected Versions

Severity

Ecosystem

Java

Publish Date

October 18, 2018

Modified Date

March 14, 2024