FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
History

Fri, 23 Aug 2024 05:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-01-10T18:00:00

Updated: 2024-08-05T20:51:32.239Z

Reserved: 2017-12-10T00:00:00

Link: CVE-2017-17485

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-01-10T18:29:01.167

Modified: 2024-11-21T03:18:01.487

Link: CVE-2017-17485

cve-icon Redhat

Severity : Important

Publid Date: 2017-12-12T00:00:00Z

Links: CVE-2017-17485 - Bugzilla