CVE-2017-17485
on github
on github
Published
Severity
CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH
Description
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
References
- https://github.com/irsl/jackson-rce-via-spel/
- https://github.com/FasterXML/jackson-databind/issues/1855
- https://access.redhat.com/errata/RHSA-2018:0116
- https://security.netapp.com/advisory/ntap-20180201-0003/
- https://www.debian.org/security/2018/dsa-4114
- https://access.redhat.com/errata/RHSA-2018:0342
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:1451
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1447
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- http://www.securityfocus.com/archive/1/541652/100/0/threaded
- https://access.redhat.com/errata/RHSA-2018:2930
- https://access.redhat.com/errata/RHSA-2019:1782
- https://access.redhat.com/errata/RHSA-2019:1797
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://www.oracle.com/security-alerts/cpuoct2020.html
Configurations
| CPE23 | Version Start | Version End | Exact Version |
|---|---|---|---|
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.8.0 (including) | 2.8.11 | * |
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.9.0 (including) | 2.9.4 | * |
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.6.7.3 | * |
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.7.9.2 | * |
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | n/a | n/a | 8.0 |
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | n/a | n/a | 9.0 |
| cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* | n/a | n/a | 3.11 |
| cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* | n/a | n/a | - |
| cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:* | n/a | n/a | - |
| cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* | 11.0.0 (including) | 11.60.3 (including) | * |
| cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:* | n/a | n/a | - |
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | n/a | 2.6.7.3 | * |