[Forgot Password]
Login  Register Subscribe

24128

 
 

131615

 
 

111604

 
 

909

 
 

87185

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2017-15095Date: (C)2018-02-07   (M)2018-07-19


A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score : 7.5
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
BID-103880
SECTRACK-1039769
DSA-4037
RHSA-2017:3189
RHSA-2017:3190
RHSA-2018:0342
RHSA-2018:0478
RHSA-2018:0479
RHSA-2018:0480
RHSA-2018:0481
RHSA-2018:0576
RHSA-2018:0577
RHSA-2018:1447
RHSA-2018:1448
RHSA-2018:1449
RHSA-2018:1450
RHSA-2018:1451
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://security.netapp.com/advisory/ntap-20171214-0003/

CPE    2
cpe:/o:debian:debian_linux:9.0
cpe:/o:debian:debian_linux:8.0
CWE    1
CWE-502
OVAL    5
oval:org.secpod.oval:def:113994
oval:org.secpod.oval:def:113995
oval:org.secpod.oval:def:603177
oval:org.secpod.oval:def:113412
...

© SecPod Technologies