UBUNTU-CVE-2017-15095

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2017-15095
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-15095.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2017-15095
Related
Published
2018-02-06T15:29:00Z
Modified
2025-06-03T17:31:52Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

References

Affected packages

Ubuntu:Pro:14.04:LTS / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind@2.2.2-1ubuntu0.1~esm1?arch=source&distro=trusty/esm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.2-1ubuntu0.1~esm1

Affected versions

2.*

2.2.2-1

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.2.2-1ubuntu0.1~esm1",
            "binary_name": "libjackson2-databind-java"
        },
        {
            "binary_version": "2.2.2-1ubuntu0.1~esm1",
            "binary_name": "libjackson2-databind-java-doc"
        }
    ]
}

Ubuntu:Pro:14.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.2-3+deb8u1build0.14.04.1~esm1?arch=source&distro=trusty/esm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.2-3+deb8u1build0.14.04.1~esm1

Affected versions

1.*

1.9.2-1
1.9.2-2
1.9.2-3

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.2-3+deb8u1build0.14.04.1~esm1",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.2-3+deb8u1build0.14.04.1~esm1",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}

Ubuntu:16.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.2-7ubuntu0.2?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.2-7ubuntu0.2

Affected versions

1.*

1.9.2-3
1.9.2-4
1.9.2-5
1.9.2-6
1.9.2-7

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.2-7ubuntu0.2",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.2-7ubuntu0.2",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind@2.4.2-3ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.2-3ubuntu0.1~esm1

Affected versions

2.*

2.4.2-2
2.4.2-3

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.4.2-3ubuntu0.1~esm1",
            "binary_name": "libjackson2-databind-java"
        },
        {
            "binary_version": "2.4.2-3ubuntu0.1~esm1",
            "binary_name": "libjackson2-databind-java-doc"
        }
    ]
}

Ubuntu:18.04:LTS / jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind@2.9.1-1?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.1-1

Affected versions

2.*

2.8.6-1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.9.1-1",
            "binary_name": "libjackson2-databind-java"
        },
        {
            "binary_version": "2.9.1-1",
            "binary_name": "libjackson2-databind-java-doc"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-1~18.04?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.9.2-8
1.9.2-9
1.9.13-1~18.04

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:20.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-1?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.9.13-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-2?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}

Ubuntu:24.10 / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-2?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}

Ubuntu:24.04:LTS / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}

Ubuntu:25.04 / libjackson-json-java

Package

Name
libjackson-json-java
Purl
pkg:deb/ubuntu/libjackson-json-java@1.9.13-2?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.13-2

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java"
        },
        {
            "binary_version": "1.9.13-2",
            "binary_name": "libjackson-json-java-doc"
        }
    ]
}