The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
- A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously. (CVE-2017-17485)
Red Hat would like to thank 0c0c0f from 360观星实验室 for reporting this issue.