CVE-2017-7525 – com.fasterxml.jackson.core:jackson-databind

Package

Manager: maven
Name: com.fasterxml.jackson.core:jackson-databind
Vulnerable Version: >=0 <2.6.7.1 || >=2.7.0 <2.7.9.1 || >=2.8.0 <2.8.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.77336 pctl0.9894

Details

jackson-databind is vulnerable to a deserialization flaw A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Metadata

Created: 2018-10-16T17:21:35Z
Modified: 2024-03-01T21:41:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json
CWE IDs: ["CWE-184", "CWE-502"]
Alternative ID: GHSA-qxxx-2pp7-5hmx
Finding: F096
Auto approve: 1