CVE-2017-7525

critical

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

References

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.debian.org/security/2017/dsa-4004

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

https://security.netapp.com/advisory/ntap-20171214-0002/

https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E

https://github.com/FasterXML/jackson-databind/issues/1723

https://github.com/FasterXML/jackson-databind/issues/1599

https://cwiki.apache.org/confluence/display/WW/S2-055

https://bugzilla.redhat.com/show_bug.cgi?id=1462702

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:0910

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0294

https://access.redhat.com/errata/RHSA-2017:3458

https://access.redhat.com/errata/RHSA-2017:3456

https://access.redhat.com/errata/RHSA-2017:3455

https://access.redhat.com/errata/RHSA-2017:3454

https://access.redhat.com/errata/RHSA-2017:3141

https://access.redhat.com/errata/RHSA-2017:2638

https://access.redhat.com/errata/RHSA-2017:2637

https://access.redhat.com/errata/RHSA-2017:2636

https://access.redhat.com/errata/RHSA-2017:2635

https://access.redhat.com/errata/RHSA-2017:2633

https://access.redhat.com/errata/RHSA-2017:2547

https://access.redhat.com/errata/RHSA-2017:2546

https://access.redhat.com/errata/RHSA-2017:2477

https://access.redhat.com/errata/RHSA-2017:1840

https://access.redhat.com/errata/RHSA-2017:1839

https://access.redhat.com/errata/RHSA-2017:1837

https://access.redhat.com/errata/RHSA-2017:1836

https://access.redhat.com/errata/RHSA-2017:1835

https://access.redhat.com/errata/RHSA-2017:1834

http://www.securitytracker.com/id/1040360

http://www.securitytracker.com/id/1039947

http://www.securitytracker.com/id/1039744

http://www.securityfocus.com/bid/99623

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Details

Source: Mitre, NVD

Published: 2018-02-06

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical