A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
References
Link Providers
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html cve-icon cve-icon
http://www.securityfocus.com/bid/103880 cve-icon cve-icon
http://www.securitytracker.com/id/1039769 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3189 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3190 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0342 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0478 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0479 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0480 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0481 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0576 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0577 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1447 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1448 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1449 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1450 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:1451 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2927 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2858 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3149 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3892 cve-icon cve-icon
https://access.redhat.com/solutions/3442891 cve-icon
https://github.com/FasterXML/jackson-databind/issues/1680 cve-icon cve-icon
https://github.com/FasterXML/jackson-databind/issues/1737 cve-icon cve-icon
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-15095 cve-icon
https://security.netapp.com/advisory/ntap-20171214-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2017-15095 cve-icon
https://www.debian.org/security/2017/dsa-4037 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

Fri, 23 Aug 2024 05:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-02-06T15:00:00Z

Updated: 2024-09-16T22:57:07.488Z

Reserved: 2017-10-08T00:00:00

Link: CVE-2017-15095

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-02-06T15:29:00.233

Modified: 2023-11-07T02:39:19.883

Link: CVE-2017-15095

cve-icon Redhat

Severity : Important

Publid Date: 2017-11-02T00:00:00Z

Links: CVE-2017-15095 - Bugzilla