Lucene search

K
osvGoogleOSV:GHSA-CGGJ-FVV3-CQWV
HistoryOct 16, 2018 - 5:45 p.m.

FasterXML jackson-databind allows unauthenticated remote code execution

2018-10-1617:45:18
Google
osv.dev
35

AI Score

9.3

Confidence

High

EPSS

0.936

Percentile

99.1%

FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

References