CVE-2017-15095
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-15095
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.9.1-1 |
| debian | bullseye | fixed | 2.9.1-1 |
| debian | forky | fixed | 2.9.1-1 |
| debian | sid | fixed | 2.9.1-1 |
| debian | trixie | fixed | 2.9.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.fasterxml.jackson.core:jackson-databind | >=2.8.0,<2.8.11 | 2.8.11 |
| Maven | com.fasterxml.jackson.core:jackson-databind | >=2.9.0,<2.9.4 | 2.9.4 |
| Maven | com.fasterxml.jackson.core:jackson-databind | >=2.0.0,<2.6.7.3 | 2.6.7.3 |
| Maven | com.fasterxml.jackson.core:jackson-databind | >=2.7.0,<2.7.9.2 | 2.7.9.2 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-15095
- https://github.com/FasterXML/jackson-databind/issues/1680
- https://github.com/FasterXML/jackson-databind/issues/1737
- https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b
- https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db
- https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
- https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b
- https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
- https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b
- https://access.redhat.com/errata/RHSA-2017:3189
- https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
- https://security.netapp.com/advisory/ntap-20171214-0003
- https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880
- https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769
- https://www.debian.org/security/2017/dsa-4037
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2017:3190
- https://access.redhat.com/errata/RHSA-2018:0342
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
Verify integrity in audit chain (admin only). AS-IS.