Remote code execution vulnerability in Ubuntu via crafted JSON inputID: oval:org.secpod.oval:def:50606 | Date: (C)2019-02-04 (M)2023-12-20 |
Class: VULNERABILITY | Family: unix |
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Platform: |
Ubuntu 16.04 |
Ubuntu 14.04 |