CVE-2017-15095

Description from NVD

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Information Acquisition Date:2023-03-01T15:02Z
CVSS 2.0: 7.5 HIGH CVSS 3.x: 9.8 CRITICAL

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

▼ CVSS2 Vec AV:N/AC:L/Au:N/C:P/I:P/A:P

NVD References

 https://github.com/FasterXML/jackson-databind/issues/1737
     source:CONFIRM
     tags:Issue Tracking    Patch    Third Party Advisory    
 https://github.com/FasterXML/jackson-databind/issues/1680
     source:CONFIRM
     tags:Issue Tracking    Third Party Advisory    
 DSA-4037
     source:DEBIAN
     tags:Third Party Advisory    
 https://security.netapp.com/advisory/ntap-20171214-0003/
     source:CONFIRM
     tags:Third Party Advisory    
 RHSA-2017:3190
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2017:3189
     source:REDHAT
     tags:Third Party Advisory    
 1039769
     source:SECTRACK
     tags:Third Party Advisory    VDB Entry    
 RHSA-2018:0342
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0481
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0480
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0479
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0478
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0577
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:0576
     source:REDHAT
     tags:Third Party Advisory    
 103880
     source:BID
     tags:Third Party Advisory    VDB Entry    
 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
     source:CONFIRM
     tags:Patch    Third Party Advisory    
 RHSA-2018:1451
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:1450
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:1449
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:1448
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2018:1447
     source:REDHAT
     tags:Third Party Advisory    
 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
     source:CONFIRM
     tags:Patch    Third Party Advisory    
 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
     source:CONFIRM
     tags:Patch    Third Party Advisory    
 RHSA-2018:2927
     source:REDHAT
     tags:Third Party Advisory    
 https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
     source:CONFIRM
     tags:Patch    Third Party Advisory    
 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
     source:MISC
     tags:Patch    Third Party Advisory    
 RHSA-2019:2858
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2019:3149
     source:REDHAT
     tags:Third Party Advisory    
 RHSA-2019:3892
     source:REDHAT
     tags:Third Party Advisory    
 [lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 [debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 https://www.oracle.com/security-alerts/cpuoct2020.html
     source:MISC
     tags:Third Party Advisory    

Description from Forti

CVE-2017-17485jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix forCVE-2017-15095) [fedora-all]

Information Acquisition Date:2023/03/01

Affected Products

Impact

Recommended Actions

References

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag: BIND(4 tweets) Oracle(28 tweets)

List of frequently cited URLs

URLNum of Times Referred to
http://vulmon.com/vulnerabilitydetails?qid=CVE1591
https://alerts.vulmon.com/?utm_source=twitter&utm_medium=so...272

▼ Show Information from Twitter(58)

List of frequently cited URLs

URLNum of Times Referred to
vulmon.com1591
alerts.vulmon.com272

▼ Show Information from Twitter(58)

GitHub Search Results: Up to 10
NameURL
SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095 https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
GitHub Search Results: Up to 10
NameURL
SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095 github.com
2023/04/09 Score : 0
Added Har-sia Database : 2020/10/10
Last Modified : 2023/04/09
Highest Scored Date : 2023/02/28
Highest Score : 17