CVE-2017-7525

Sažetak

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Reference

https://github.com/FasterXML/jackson-databind/issues/1599
https://github.com/FasterXML/jackson-databind/issues/1723
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
https://www.debian.org/security/2017/dsa-4004
https://security.netapp.com/advisory/ntap-20171214-0002/
https://access.redhat.com/errata/RHSA-2017:3458
https://access.redhat.com/errata/RHSA-2017:3456
https://access.redhat.com/errata/RHSA-2017:3455
https://access.redhat.com/errata/RHSA-2017:3454
https://access.redhat.com/errata/RHSA-2017:3141
https://access.redhat.com/errata/RHSA-2017:2638
https://access.redhat.com/errata/RHSA-2017:2637
https://access.redhat.com/errata/RHSA-2017:2636
https://access.redhat.com/errata/RHSA-2017:2635
https://access.redhat.com/errata/RHSA-2017:2633
https://access.redhat.com/errata/RHSA-2017:2547
https://access.redhat.com/errata/RHSA-2017:2546
https://access.redhat.com/errata/RHSA-2017:2477
https://access.redhat.com/errata/RHSA-2017:1840
https://access.redhat.com/errata/RHSA-2017:1839
https://access.redhat.com/errata/RHSA-2017:1837
https://access.redhat.com/errata/RHSA-2017:1836
https://access.redhat.com/errata/RHSA-2017:1835
https://access.redhat.com/errata/RHSA-2017:1834
http://www.securitytracker.com/id/1039947
http://www.securitytracker.com/id/1039744
http://www.securityfocus.com/bid/99623
https://cwiki.apache.org/confluence/display/WW/S2-055
https://access.redhat.com/errata/RHSA-2018:0294
http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2018:0342
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1449
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://access.redhat.com/errata/RHSA-2019:0910
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

07-11-2023 - 02:50

Objavljeno

06-02-2018 - 15:29