Lucene search

K
redhatcveRedhat.comRH:CVE-2017-15095
HistoryJul 17, 2021 - 11:47 p.m.

CVE-2017-15095

2021-07-1723:47:49
redhat.com
access.redhat.com
436

EPSS

0.571

Percentile

97.7%

A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Mitigation

Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to <https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true&gt;