GHSA-h592-38cm-4ggp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h592-38cm-4ggp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h592-38cm-4ggp
- Aliases
- Published
- 2018-10-18T17:42:34Z
- Modified
- 2024-03-15T01:19:32.453456Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution
- Details
-
jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-15095
- https://github.com/FasterXML/jackson-databind/issues/1680
- https://github.com/FasterXML/jackson-databind/issues/1737
- https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b
- https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db
- https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
- https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b
- https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
- https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b
- https://access.redhat.com/errata/RHSA-2017:3189
- https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
- https://security.netapp.com/advisory/ntap-20171214-0003
- https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880
- https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769
- https://www.debian.org/security/2017/dsa-4037
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2017:3190
- https://access.redhat.com/errata/RHSA-2018:0342
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0576
- https://access.redhat.com/errata/RHSA-2018:0577
- https://access.redhat.com/errata/RHSA-2018:1447
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1451
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://github.com/FasterXML/jackson-databind
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Affected packages
Maven / com.fasterxml.jackson.core:jackson-databind
Package
- Name
- com.fasterxml.jackson.core:jackson-databind
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.core/jackson-databind
Maven / com.fasterxml.jackson.core:jackson-databind
Package
- Name
- com.fasterxml.jackson.core:jackson-databind
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.core/jackson-databind
Maven / com.fasterxml.jackson.core:jackson-databind
Package
- Name
- com.fasterxml.jackson.core:jackson-databind
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.core/jackson-databind
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0-rc1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0-rc1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0-rc1
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.1.1
2.4.1.2
2.4.1.3
2.4.2
2.4.3
2.4.4
2.4.5
2.4.5.1
2.4.6
2.4.6.1
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.7.1
2.6.7.2
Maven / com.fasterxml.jackson.core:jackson-databind
Package
- Name
- com.fasterxml.jackson.core:jackson-databind
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.core/jackson-databind