Lucene search

K

GoogleOSV:GHSA-RFX6-VP9G-RH7V

HistoryOct 18, 2018 - 5:42 p.m.

jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

2018-10-1817:42:48

Google

osv.dev

467

0.571 Medium

EPSS

Percentile

97.7%

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

CPENameOperatorVersion
com.fasterxml.jackson.core:jackson-databindeq2.4.1.2
com.fasterxml.jackson.core:jackson-databindeq2.5.0
com.fasterxml.jackson.core:jackson-databindeq2.4.6
com.fasterxml.jackson.core:jackson-databindeq2.3.0
com.fasterxml.jackson.core:jackson-databindeq2.8.9
com.fasterxml.jackson.core:jackson-databindeq2.6.6
com.fasterxml.jackson.core:jackson-databindeq2.5.0-rc1
com.fasterxml.jackson.core:jackson-databindeq2.4.6.1
com.fasterxml.jackson.core:jackson-databindeq2.3.5
com.fasterxml.jackson.core:jackson-databindeq2.7.4

Rows per page:

1-10 of 1021

References

access.redhat.com/errata/RHSA-2018:0116

access.redhat.com/errata/RHSA-2018:0342

access.redhat.com/errata/RHSA-2018:0478

access.redhat.com/errata/RHSA-2018:0479

access.redhat.com/errata/RHSA-2018:0480

access.redhat.com/errata/RHSA-2018:0481

access.redhat.com/errata/RHSA-2018:1447

access.redhat.com/errata/RHSA-2018:1448

access.redhat.com/errata/RHSA-2018:1449

access.redhat.com/errata/RHSA-2018:1450

access.redhat.com/errata/RHSA-2018:1451

access.redhat.com/errata/RHSA-2018:2930

access.redhat.com/errata/RHSA-2019:1782

access.redhat.com/errata/RHSA-2019:1797

access.redhat.com/errata/RHSA-2019:2858

access.redhat.com/errata/RHSA-2019:3149

access.redhat.com/errata/RHSA-2019:3892

github.com/FasterXML/jackson-databind

github.com/FasterXML/jackson-databind/commit/10fe7f17ea7c8da2a71e7a0c774b420a1d5c1b50

github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf

github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1

github.com/FasterXML/jackson-databind/commit/4f16f67ebd22c7522fdbb8a7eb87e3026a807d61

github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171

github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd

github.com/FasterXML/jackson-databind/commit/eb217dd0f87c5fb471e0668575644aa7eba9a3d3

github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d

github.com/FasterXML/jackson-databind/issues/1855

github.com/irsl/jackson-rce-via-spel

nvd.nist.gov/vuln/detail/CVE-2017-17485

security.netapp.com/advisory/ntap-20180201-0003

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

web.archive.org/web/20200927162225/www.securityfocus.com/archive/1/541652/100/0/threaded

www.debian.org/security/2018/dsa-4114

www.oracle.com/security-alerts/cpuoct2020.html

0.571 Medium

EPSS

Percentile

97.7%

Related for OSV:GHSA-RFX6-VP9G-RH7V

osv17 nvd6 debiancve5 veracode12 prion6 github6 cvelist6 seebug3 ubuntucve5 cve6 nessus34 redhat32 redhatcve6 ibm11 fedora7 openvas20 checkpoint_advisories1 huawei1 debian8 zdt1 f51 mageia3 freebsd1 ubuntu1