CVE-2017-15095
CRITICAL severity · CVSS 9.8 · CWE-184
9.8CVSS CRITICAL
Summary
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)8%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html ↗
Additional information
- NVD record
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch
- http://www.securityfocus.com/bid/103880Advisory
- http://www.securitytracker.com/id/1039769Advisory
- https://access.redhat.com/errata/RHSA-2017:3189Advisory
- https://access.redhat.com/errata/RHSA-2017:3190Advisory
- https://access.redhat.com/errata/RHSA-2018:0342Advisory