CVE-2017-15095 Information

Feb 14, 2021 cve

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1 which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/103880 http://www.securitytracker.com/id/1039769 https://access.redhat.com/errata/RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0576 https://access.redhat.com/errata/RHSA-2018:0577 https://access.redhat.com/errata/RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3892 https://github.com/FasterXML/jackson-databind/issues/1680 https://github.com/FasterXML/jackson-databind/issues/1737 https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@3Csolr-user.lucene.apache.org3E https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html https://security.netapp.com/advisory/ntap-20171214-0003/ https://www.debian.org/security/2017/dsa-4037 https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: