12 matches found
This Week in Spring - SpringOne Essentials 2023 edition - January 24th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! Today is a very day for you see, today we kick off SpringOne Essentials, the online incarnation of SpringOne, online. Well see you live, on stream, in just a few hours!. SpringOne Essentials is going to be amazing, but before...
Remote Code Execution (RCE)
Jackson-databind is vulnerable to remote code execution RCE attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of @JsonTypeInfouse =...
GHSA-RFX6-VP9G-RH7V jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
Remote Code Execution (RCE)
Jackson-databind is vulnerable to remote code execution RCE attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of @JsonTypeInfouse =...
CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
Design/Logic Flaw
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
CVE-2017-17485
CVE-2017-17485 affects FasterXML jackson-databind: a deserialization flaw that enables unauthenticated remote code execution via readValue when the blacklist is bypassed if Spring libraries are on the classpath. The initial description specifies impact for jackson-databind up to 2.8.10 and 2.9.x ...
CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...