The vulnerability of the readValue method in the ObjectMapper class of the Jackson-databind library arises from the possibility of restoring unreliable data structures in memory. This allows attackers to gain access to confidential data, compromise its integrity, and cause service failures.

🗓️ 21 Mar 2021 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 3 Views

Jackson-databind ObjectMapper readValue flaw enables unsafe deserialization due to poor input validation.

Reporter	Title	Published	Views	Family All 136
IBM Security Bulletins	Security Bulletin: Vulnerabilities in jackson-databind affect IBM watsonx.data	18 Sep 202416:36	–	ibm
IBM Security Bulletins	Security Bulletin: Common Vulnerabilities found in Cloudera Data Platform Private Cloud base with IBM	2 Mar 202614:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020	1 Mar 202212:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies	18 Dec 202115:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities	6 Oct 202112:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jackson databind	2 Jun 202123:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	13 Aug 202122:15	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)	12 Jan 202114:42	–	ibm
IBM Security Bulletins	Security Bulletin: z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages	10 Oct 202222:34	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)	3 Jan 202315:55	–	ibm

Vulners

Node

red_hat openshift_container_platformMatch4.1

OR

red_hat openshift_container_platformMatch3.11

OR

red_hat jboss_enterprise_application_platformMatch6.4

OR

red_hat jboss_operations_networkMatch3.3

OR

red_hat jboss_fuseMatch7

OR

red_hat jboss_enterprise_application_platformMatch7

OR

red_hat jboss_enterprise_application_platformMatch6

OR

fasterxml,_llc jackson-databindRange2.6.0–2.6.7.3

OR

fasterxml,_llc jackson-databindRange2.7.0–2.7.9.2

OR

fasterxml,_llc jackson-databindRange2.8.0–2.8.11

OR

fasterxml,_llc jackson-databindRange2.9.0–2.9.4

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2017-17485
security-tracker	www.security-tracker.debian.org/tracker/CVE-2017-17485
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/FasterXML/jackson-databind/issues/1855
access	www.access.redhat.com/errata/RHSA-2018:0116
access	www.access.redhat.com/errata/RHSA-2018:0342
access	www.access.redhat.com/errata/RHSA-2018:0478
access	www.access.redhat.com/errata/RHSA-2018:0479
access	www.access.redhat.com/errata/RHSA-2018:0480
access	www.access.redhat.com/errata/RHSA-2018:0481

21 Mar 2021 00:00Current

7High risk

Vulners AI Score7

CVSS 27.5

CVSS 39.8

EPSS0.49727

jackson-databind objectmapper deserialization input-validation confidential-data service-failure