A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
History
07 Nov 2023, 02:39
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-02-06 15:29
Updated : 2024-02-28 16:25
NVD link : CVE-2017-15095
Mitre link : CVE-2017-15095
CVE.ORG link : CVE-2017-15095
JSON object : View
Products Affected
netapp
- oncommand_performance_manager
- oncommand_balance
- snapcenter
- oncommand_shift
oracle
- communications_billing_and_revenue_management
- clusterware
- database_server
- financial_services_analytical_applications_infrastructure
- communications_instant_messaging_server
- utilities_advanced_spatial_and_operational_analytics
- identity_manager
- jd_edwards_enterpriseone_tools
- banking_platform
- primavera_unifier
- global_lifecycle_management_opatchauto
- webcenter_portal
- enterprise_manager_for_virtualization
- communications_diameter_signaling_router
redhat
- enterprise_linux
- satellite_capsule
- openshift_container_platform
- satellite
- jboss_enterprise_application_platform
debian
- debian_linux
fasterxml
- jackson-databind