Lucene search

K
osvGoogleOSV:GHSA-H592-38CM-4GGP
HistoryOct 18, 2018 - 5:42 p.m.

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

2018-10-1817:42:34
Google
osv.dev
30

EPSS

0.571

Percentile

97.7%

jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

References