Vulnerability CVE-2017-15095


Published: 2018-02-06

Description:
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Type:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Redhat -> Jboss enterprise application platform 
Fasterxml -> Jackson-databind 
Fasterxml -> Jackson 
Debian -> Debian linux 

 References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103880
http://www.securitytracker.com/id/1039769
https://access.redhat.com/errata/RHSA-2017:3189
https://access.redhat.com/errata/RHSA-2017:3190
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0576
https://access.redhat.com/errata/RHSA-2018:0577
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2019:2858
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://security.netapp.com/advisory/ntap-20171214-0003/
https://www.debian.org/security/2017/dsa-4037
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Copyright 2024, cxsecurity.com

 

Back to Top