GoogleOSV:GHSA-H592-38CM-4GGPjackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.493 Medium
EPSS
Percentile
97.4%
jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.
References
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
access.redhat.com/errata/RHSA-2017:3189
access.redhat.com/errata/RHSA-2017:3190
access.redhat.com/errata/RHSA-2018:0342
access.redhat.com/errata/RHSA-2018:0478
access.redhat.com/errata/RHSA-2018:0479
access.redhat.com/errata/RHSA-2018:0480
access.redhat.com/errata/RHSA-2018:0481
access.redhat.com/errata/RHSA-2018:0576
access.redhat.com/errata/RHSA-2018:0577
access.redhat.com/errata/RHSA-2018:1447
access.redhat.com/errata/RHSA-2018:1448
access.redhat.com/errata/RHSA-2018:1449
access.redhat.com/errata/RHSA-2018:1450
access.redhat.com/errata/RHSA-2018:1451
access.redhat.com/errata/RHSA-2018:2927
access.redhat.com/errata/RHSA-2019:2858
access.redhat.com/errata/RHSA-2019:3149
access.redhat.com/errata/RHSA-2019:3892
github.com/FasterXML/jackson-databind
github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b
github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db
github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b
github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
github.com/FasterXML/jackson-databind/issues/1680
github.com/FasterXML/jackson-databind/issues/1737
github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b
lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
lists.debian.org/debian-lts-announce/2020/01/msg00037.html
nvd.nist.gov/vuln/detail/CVE-2017-15095
security.netapp.com/advisory/ntap-20171214-0003
web.archive.org/web/20200401000000*/www.securityfocus.com/bid/103880
web.archive.org/web/20201221192044/www.securitytracker.com/id/1039769
www.debian.org/security/2017/dsa-4037
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.493 Medium
EPSS
Percentile
97.4%