[Forgot Password]
Login  Register Subscribe

24003

 
 

131486

 
 

106342

 
 

909

 
 

84631

 
 

134

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2017-15095Date: (C)2018-02-07   (M)2018-04-24


A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score : 7.5
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
BID-103880
SECTRACK-1039769
DSA-4037
RHSA-2017:3189
RHSA-2017:3190
RHSA-2018:0342
RHSA-2018:0478
RHSA-2018:0479
RHSA-2018:0480
RHSA-2018:0481
RHSA-2018:0576
RHSA-2018:0577
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://security.netapp.com/advisory/ntap-20171214-0003/

CPE    2
cpe:/o:debian:debian_linux:9.0
cpe:/o:debian:debian_linux:8.0
CWE    1
CWE-502
OVAL    5
oval:org.secpod.oval:def:603177
oval:org.secpod.oval:def:113412
oval:org.secpod.oval:def:113561
oval:org.secpod.oval:def:113994
...

© 2013 SecPod Technologies