DEBIAN-CVE-2017-7525

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2017-7525

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-7525.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2017-7525

Upstream

CVE-2017-7525

Published

2018-02-06T15:29:00Z

Modified

2025-09-30T03:54:25Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

References

https://security-tracker.debian.org/tracker/CVE-2017-7525

Affected packages

Debian:11

jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

libjackson-json-java

Package

Name: libjackson-json-java
Purl: pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12

jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

libjackson-json-java

Package

Name: libjackson-json-java
Purl: pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

libjackson-json-java

Package

Name: libjackson-json-java
Purl: pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14

jackson-databind

Package

Name: jackson-databind
Purl: pkg:deb/debian/jackson-databind?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

libjackson-json-java

Package

Name: libjackson-json-java
Purl: pkg:deb/debian/libjackson-json-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}