A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper (CVE-2017-17485). A flaw was found in FasterXML jackson-databind which allows unauthenticated remote code execution due deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist (CVE-2018-5968).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | jackson-databind | < 2.7.6-1.3 | jackson-databind-2.7.6-1.3.mga6 |