Vulnerability CVE-2017-15095

Vulnerability CVE-2017-15095

Published: 2018-02-06

Description:

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Type:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Redhat -> Jboss enterprise application platform
Fasterxml -> Jackson-databind
Fasterxml -> Jackson
Debian -> Debian linux

References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103880

http://www.securitytracker.com/id/1039769

https://access.redhat.com/errata/RHSA-2017:3189

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0478

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:0576

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:1447

https://access.redhat.com/errata/RHSA-2018:1448

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2019:2858

https://github.com/FasterXML/jackson-databind/issues/1680

https://github.com/FasterXML/jackson-databind/issues/1737

https://security.netapp.com/advisory/ntap-20171214-0003/

https://www.debian.org/security/2017/dsa-4037

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Vulnerability CVE-2017-15095

CWE-502

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Remote

Low

No required

Partial

Partial

Partial

Affected software

References: