Deserialization of Untrusted Data Affecting jackson-databind package, versions <2.8.6-1+deb9u3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-JACKSONDATABIND-353978
- published 10 Jan 2018
- disclosed 10 Jan 2018
Introduced: 10 Jan 2018
CVE-2017-17485 Open this link in a new tabHow to fix?
Upgrade Debian:9
jackson-databind
to version 2.8.6-1+deb9u3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream jackson-databind
package and not the jackson-databind
package as distributed by Debian
.
See How to fix?
for Debian:9
relevant fixed versions and status.
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
References
- ADVISORY
- BUGTRAQ
- CONFIRM
- Debian Security Advisory
- GitHub Issue
- MISC
- MISC
- Netapp Security Advisory
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Ubuntu CVE Tracker