RHSA-2018:0342-01 -- Redhat rh-maven35-jackson-databindID: oval:org.secpod.oval:def:504924 | Date: (C)2021-01-29 (M)2023-09-20 |
Class: PATCH | Family: unix |
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. * Further classes that an attacker could use to achieve code execution through deserialisation were discovered, and added to the blacklist introduced by CVE-2017-7525. Red Hat would like to thank Liao Xinxi for reporting CVE-2017-7525 and CVE-2017-15095 and 0c0c0f from 360 for reporting CVE-2017-17485.
Platform: |
Red Hat Enterprise Linux 7 |
Product: |
rh-maven35-jackson-databind |