Lucene search

K
osvGoogleOSV:GHSA-RFX6-VP9G-RH7V
HistoryOct 18, 2018 - 5:42 p.m.

jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

2018-10-1817:42:48
Google
osv.dev
471

EPSS

0.571

Percentile

97.7%

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

References