CVE-2017-15095

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15095.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-15095
Aliases
Related
Published
2018-02-06T15:29:00Z
Modified
2024-09-18T02:45:39.069160Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

References

Affected packages

Debian:11 / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type
GIT
Repo
https://github.com/fasterxml/jackson-databind
Events

Affected versions

2.*

2.2.0c
2.6.0-rc3b

jackson-databind-2.*

jackson-databind-2.0.0
jackson-databind-2.0.1
jackson-databind-2.0.2
jackson-databind-2.0.4
jackson-databind-2.1.0
jackson-databind-2.1.1
jackson-databind-2.2.0
jackson-databind-2.2.0-rc1
jackson-databind-2.2.1
jackson-databind-2.2.2
jackson-databind-2.3.0
jackson-databind-2.3.0-rc1
jackson-databind-2.3.1
jackson-databind-2.4.0
jackson-databind-2.4.0-rc1
jackson-databind-2.4.0-rc2
jackson-databind-2.4.0-rc3
jackson-databind-2.4.1
jackson-databind-2.4.1.1
jackson-databind-2.4.1.2
jackson-databind-2.4.1.3
jackson-databind-2.4.2
jackson-databind-2.4.3
jackson-databind-2.4.4
jackson-databind-2.4.5
jackson-databind-2.4.5.1
jackson-databind-2.4.6
jackson-databind-2.5.0
jackson-databind-2.5.0-rc1
jackson-databind-2.5.1
jackson-databind-2.5.2
jackson-databind-2.5.3
jackson-databind-2.5.4
jackson-databind-2.5.5
jackson-databind-2.6.0
jackson-databind-2.6.0-rc1
jackson-databind-2.6.0-rc2
jackson-databind-2.6.0-rc4
jackson-databind-2.6.1
jackson-databind-2.6.2
jackson-databind-2.6.3
jackson-databind-2.6.4
jackson-databind-2.6.5
jackson-databind-2.6.6
jackson-databind-2.6.7
jackson-databind-2.6.7.1