CVE-2017-7525

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Published : 2018-02-06 15:29 Updated : 2019-09-27 03:15

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0
Fasterxml Jackson-databind 2.6.1 cpe:/a:fasterxml:jackson-databind:2.6.1
Fasterxml Jackson-databind 2.6.2 cpe:/a:fasterxml:jackson-databind:2.6.2
Fasterxml Jackson-databind 2.6.3 cpe:/a:fasterxml:jackson-databind:2.6.3
Fasterxml Jackson-databind 2.6.4 cpe:/a:fasterxml:jackson-databind:2.6.4
Fasterxml Jackson-databind 2.6.5 cpe:/a:fasterxml:jackson-databind:2.6.5
Fasterxml Jackson-databind 2.6.6 cpe:/a:fasterxml:jackson-databind:2.6.6
Fasterxml Jackson-databind 2.6.7 cpe:/a:fasterxml:jackson-databind:2.6.7
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0
Fasterxml Jackson-databind 2.7.1 cpe:/a:fasterxml:jackson-databind:2.7.1
Fasterxml Jackson-databind 2.7.1-1 cpe:/a:fasterxml:jackson-databind:2.7.1-1
Fasterxml Jackson-databind 2.7.2 cpe:/a:fasterxml:jackson-databind:2.7.2
Fasterxml Jackson-databind 2.7.3 cpe:/a:fasterxml:jackson-databind:2.7.3
Fasterxml Jackson-databind 2.7.4 cpe:/a:fasterxml:jackson-databind:2.7.4
Fasterxml Jackson-databind 2.7.5 cpe:/a:fasterxml:jackson-databind:2.7.5
Fasterxml Jackson-databind 2.7.6 cpe:/a:fasterxml:jackson-databind:2.7.6
Fasterxml Jackson-databind 2.7.7 cpe:/a:fasterxml:jackson-databind:2.7.7
Fasterxml Jackson-databind 2.7.8 cpe:/a:fasterxml:jackson-databind:2.7.8
Fasterxml Jackson-databind 2.7.9 cpe:/a:fasterxml:jackson-databind:2.7.9
Fasterxml Jackson-databind 2.8.0 cpe:/a:fasterxml:jackson-databind:2.8.0
Fasterxml Jackson-databind 2.8.1 cpe:/a:fasterxml:jackson-databind:2.8.1
Fasterxml Jackson-databind 2.8.2 cpe:/a:fasterxml:jackson-databind:2.8.2
Fasterxml Jackson-databind 2.8.3 cpe:/a:fasterxml:jackson-databind:2.8.3
Fasterxml Jackson-databind 2.8.4 cpe:/a:fasterxml:jackson-databind:2.8.4
Fasterxml Jackson-databind 2.8.5 cpe:/a:fasterxml:jackson-databind:2.8.5
Fasterxml Jackson-databind 2.8.6 cpe:/a:fasterxml:jackson-databind:2.8.6
Fasterxml Jackson-databind 2.8.7 cpe:/a:fasterxml:jackson-databind:2.8.7
Fasterxml Jackson-databind 2.8.8 cpe:/a:fasterxml:jackson-databind:2.8.8
Fasterxml Jackson-databind 2.8.8.1 cpe:/a:fasterxml:jackson-databind:2.8.8.1
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
Debian Debian Linux 9.0 cpe:/o:debian:debian_linux:9.0
Fasterxml Jackson 1.0.0 cpe:/a:fasterxml:jackson:1.0.0
Fasterxml Jackson 1.1.0 cpe:/a:fasterxml:jackson:1.1.0
Fasterxml Jackson 1.1.2 cpe:/a:fasterxml:jackson:1.1.2
Fasterxml Jackson 1.2.0 cpe:/a:fasterxml:jackson:1.2.0
Fasterxml Jackson 1.3 cpe:/a:fasterxml:jackson:1.3
Fasterxml Jackson 1.4.0 cpe:/a:fasterxml:jackson:1.4.0
Fasterxml Jackson 1.4.6 cpe:/a:fasterxml:jackson:1.4.6
Fasterxml Jackson 1.5 cpe:/a:fasterxml:jackson:1.5
Fasterxml Jackson 1.6 cpe:/a:fasterxml:jackson:1.6
Fasterxml Jackson 1.7 cpe:/a:fasterxml:jackson:1.7
Fasterxml Jackson 1.8 cpe:/a:fasterxml:jackson:1.8
Fasterxml Jackson 1.9 cpe:/a:fasterxml:jackson:1.9
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc1
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc2
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc3
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:rc4
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc1
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc2
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:rc3
Fasterxml Jackson-databind 2.6.0 cpe:/a:fasterxml:jackson-databind:2.6.0:-
Fasterxml Jackson-databind 2.7.0 cpe:/a:fasterxml:jackson-databind:2.7.0:-
Redhat Virtualization Host 4.0 cpe:/a:redhat:virtualization_host:4.0
Redhat Virtualization 4.0 cpe:/o:redhat:virtualization:4.0
Redhat Jboss Enterprise Application Platform 6.0.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0
Redhat Jboss Enterprise Application Platform 6.4.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0
Redhat Jboss Enterprise Application Platform 7.0.0 cpe:/a:redhat:jboss_enterprise_application_platform:7.0.0
Redhat Jboss Enterprise Application Platform 7.1.0 cpe:/a:redhat:jboss_enterprise_application_platform:7.1.0
  1. Debian (1) Search CVE
    1. Debian Linux (2) Search CVE
      1. 8.0
      2. 9.0
  2. Fasterxml (2) Search CVE
    1. Jackson-databind (29) Search CVE
      1. 2.6.0
      2. 2.6.1
      3. 2.6.2
      4. 2.6.3
      5. 2.6.4
      6. 2.6.5
      7. 2.6.6
      8. 2.6.7
      9. 2.7.0
      10. 2.7.1
      11. 2.7.1-1
      12. 2.7.2
      13. 2.7.3
      14. 2.7.4
      15. 2.7.5
      16. 2.7.6
      17. 2.7.7
      18. 2.7.8
      19. 2.7.9
      20. 2.8.0
      21. 2.8.1
      22. 2.8.2
      23. 2.8.3
      24. 2.8.4
      25. 2.8.5
      26. 2.8.6
      27. 2.8.7
      28. 2.8.8
      29. 2.8.8.1
    2. Jackson (12) Search CVE
      1. 1.0.0
      2. 1.1.0
      3. 1.1.2
      4. 1.2.0
      5. 1.3
      6. 1.4.0
      7. 1.4.6
      8. 1.5
      9. 1.6
      10. 1.7
      11. 1.8
      12. 1.9
  3. Redhat (3) Search CVE
    1. Virtualization (1) Search CVE
      1. 4.0
    2. Jboss Enterprise Application Platform (4) Search CVE
      1. 6.0.0
      2. 6.4.0
      3. 7.0.0
      4. 7.1.0
    3. Virtualization Host (1) Search CVE
      1. 4.0

CWE

ID Name Description Links
CWE-502 Deserialization of Untrusted Data The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. CVE

References

Source Link
REDHAT https://access.redhat.com/errata/RHSA-2017:2546
DEBIAN https://www.debian.org/security/2017/dsa-4004
REDHAT https://access.redhat.com/errata/RHSA-2017:2638
CONFIRM https://github.com/FasterXML/jackson-databind/issues/1599
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1462702
CONFIRM https://github.com/FasterXML/jackson-databind/issues/1723
REDHAT https://access.redhat.com/errata/RHSA-2017:1840
SECTRACK http://www.securitytracker.com/id/1039744
CONFIRM https://security.netapp.com/advisory/ntap-20171214-0002/
REDHAT https://access.redhat.com/errata/RHSA-2017:3458
REDHAT https://access.redhat.com/errata/RHSA-2017:2635
REDHAT https://access.redhat.com/errata/RHSA-2017:2547
REDHAT https://access.redhat.com/errata/RHSA-2017:1839
REDHAT https://access.redhat.com/errata/RHSA-2017:1837
REDHAT https://access.redhat.com/errata/RHSA-2017:2636
REDHAT https://access.redhat.com/errata/RHSA-2017:3455
REDHAT https://access.redhat.com/errata/RHSA-2017:2477
SECTRACK http://www.securitytracker.com/id/1039947
REDHAT https://access.redhat.com/errata/RHSA-2017:2637
REDHAT https://access.redhat.com/errata/RHSA-2017:3454
REDHAT https://access.redhat.com/errata/RHSA-2017:3141
REDHAT https://access.redhat.com/errata/RHSA-2017:3456
REDHAT https://access.redhat.com/errata/RHSA-2017:1836
REDHAT https://access.redhat.com/errata/RHSA-2017:1835
BID http://www.securityfocus.com/bid/99623
REDHAT https://access.redhat.com/errata/RHSA-2017:2633
CONFIRM https://cwiki.apache.org/confluence/display/WW/S2-055
REDHAT https://access.redhat.com/errata/RHSA-2018:0294
SECTRACK http://www.securitytracker.com/id/1040360
REDHAT https://access.redhat.com/errata/RHSA-2018:0342
REDHAT https://access.redhat.com/errata/RHSA-2017:1834
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
REDHAT https://access.redhat.com/errata/RHSA-2018:1450
REDHAT https://access.redhat.com/errata/RHSA-2018:1449
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
REDHAT https://access.redhat.com/errata/RHSA-2019:0910
MLIST https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E
MLIST https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E
MLIST https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E
MLIST https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E
MLIST https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E
MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
REDHAT https://access.redhat.com/errata/RHSA-2019:2858

History of changes

Date Event
2019-09-27 03:15
2019-08-30 15:31
2019-08-21 14:48
2019-04-30 18:29
2019-04-23 19:31
2019-04-08 19:29
2019-03-25 16:29
2019-01-16 19:29
2018-10-17 01:30
2018-09-27 15:29
2018-09-27 10:29
2018-09-11 12:16
2018-07-19 01:29
2018-05-17 01:29
2018-04-20 01:29
2018-02-27 19:33
2018-02-24 02:29
2018-02-14 02:29
2018-02-09 02:29
2018-02-08 02:29
2018-02-07 02:29
2018-02-06 15:29

New CVE