Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:8090
HistoryDec 28, 2018 - 4:02 a.m.

Deserialization Of Untrusted Data

2018-12-2804:02:56
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
17
jackson-databind
deserialization
vulnerability
untrusted data

EPSS

0.493

Percentile

97.6%

jackson-databind is susceptible to deserialization of untrusted data. It is due to an incomplete fix for the CVE-2017-7525 which has classes which perform general-purpose data-binding functionality and tree-model for untrusted data.

Affected configurations

Vulners
Node
fasterxmljackson-databindMatch2.7.6_2.4.el7
OR
fasterxmljackson-databindMatch2.7.6_2.2.el7
OR
fasterxmljackson-databindRange≀2.9.6
OR
fasterxmljackson-mapper-aslRange≀1.9.13
VendorProductVersionCPE
fasterxmljackson-databind2.7.6_2.4.el7cpe:2.3:a:fasterxml:jackson-databind:2.7.6_2.4.el7:*:*:*:*:*:*:*
fasterxmljackson-databind2.7.6_2.2.el7cpe:2.3:a:fasterxml:jackson-databind:2.7.6_2.2.el7:*:*:*:*:*:*:*
fasterxmljackson-databind*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
fasterxmljackson-mapper-asl*cpe:2.3:a:fasterxml:jackson-mapper-asl:*:*:*:*:*:*:*:*

References