Remote Code Execution (RCE)

2019-01-1509:20:28

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.571 Medium

EPSS

Percentile

97.7%

JSON

Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.

CPENameOperatorVersion
rh-eclipse46-jackson-databindeq2.6.3__2.2.el7
rh-maven35-jackson-databindeq2.7.6__2.2.el7
jboss-as-process-controllereq7.5.16__1.Final_redhat_1.1.ep6.el7
jboss-as-process-controllereq7.4.2__3.Final_redhat_2.1.ep6.el7
jboss-as-process-controllereq7.5.9__2.Final_redhat_2.1.ep6.el7
jboss-as-process-controllereq7.5.4__2.Final_redhat_4.1.ep6.el5
jboss-as-process-controllereq7.5.16__1.Final_redhat_1.1.ep6.el5
jboss-as-process-controllereq7.5.14__2.Final_redhat_2.1.ep6.el7
jboss-as-process-controllereq7.3.2__2.Final_redhat_2.1.ep6.el5
jboss-as-process-controllereq7.5.13__2.Final_redhat_2.1.ep6.el7

Name	Operator	Version
rh-eclipse46-jackson-databind	eq	2.6.3__2.2.el7
rh-maven35-jackson-databind	eq	2.7.6__2.2.el7
jboss-as-process-controller	eq	7.5.16__1.Final_redhat_1.1.ep6.el7
jboss-as-process-controller	eq	7.4.2__3.Final_redhat_2.1.ep6.el7
jboss-as-process-controller	eq	7.5.9__2.Final_redhat_2.1.ep6.el7
jboss-as-process-controller	eq	7.5.4__2.Final_redhat_4.1.ep6.el5
jboss-as-process-controller	eq	7.5.16__1.Final_redhat_1.1.ep6.el5
jboss-as-process-controller	eq	7.5.14__2.Final_redhat_2.1.ep6.el7
jboss-as-process-controller	eq	7.3.2__2.Final_redhat_2.1.ep6.el5
jboss-as-process-controller	eq	7.5.13__2.Final_redhat_2.1.ep6.el7