GHSA-qxxx-2pp7-5hmx

Source

https://github.com/advisories/GHSA-qxxx-2pp7-5hmx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qxxx-2pp7-5hmx

Aliases

CVE-2017-7525

Published

2018-10-16T17:21:35Z

Modified

2024-03-11T05:19:49.080060Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

jackson-databind is vulnerable to a deserialization flaw

Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Database specific

{
    "nvd_published_at": "2018-02-06T15:29:00Z",
    "cwe_ids": [
        "CWE-184",
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:53:14Z"
}

References

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.7.1

Affected versions

2.*

2.0.0-RC1

2.0.0-RC2

2.0.0-RC3

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.0.6

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0-rc1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0-rc1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0-rc1

2.4.0-rc2

2.4.0-rc3

2.4.0

2.4.1

2.4.1.1

2.4.1.2

2.4.1.3

2.4.2

2.4.3

2.4.4

2.4.5

2.4.5.1

2.4.6

2.4.6.1

2.5.0-rc1

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.6.0-rc1

2.6.0-rc2

2.6.0-rc3

2.6.0-rc4

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

Database specific

{
    "last_known_affected_version_range": "<= 2.6.7.0"
}

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.9.1

Affected versions

2.*

2.7.0

2.7.1

2.7.1-1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

Database specific

{
    "last_known_affected_version_range": "<= 2.7.9.0"
}

Maven / com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.8.9

Affected versions

2.*

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.8.1