CVE-2017-15095

HIGH

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103880

http://www.securitytracker.com/id/1039769

https://access.redhat.com/errata/RHSA-2017:3189

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0478

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:0576

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:1447

https://access.redhat.com/errata/RHSA-2018:1448

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://github.com/FasterXML/jackson-databind/issues/1680

https://github.com/FasterXML/jackson-databind/issues/1737

https://security.netapp.com/advisory/ntap-20171214-0003/

https://www.debian.org/security/2017/dsa-4037

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Details

Source: MITRE

Published: 2018-02-06

Updated: 2019-09-27

Type: CWE-502

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL