vulnerability
Red Hat OpenShift: CVE-2017-17485: jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Jan 10, 2018 | Oct 8, 2019 | Apr 14, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Jan 10, 2018
Added
Oct 8, 2019
Modified
Apr 14, 2025
Description
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Solution
linuxrpm-upgrade-logging
References
- CVE-2017-17485
- https://attackerkb.com/topics/CVE-2017-17485
- REDHAT-RHSA-2018:0116
- REDHAT-RHSA-2018:0342
- REDHAT-RHSA-2018:0478
- REDHAT-RHSA-2018:0479
- REDHAT-RHSA-2018:0480
- REDHAT-RHSA-2018:0481
- REDHAT-RHSA-2018:1447
- REDHAT-RHSA-2018:1448
- REDHAT-RHSA-2018:1449
- REDHAT-RHSA-2018:1450
- REDHAT-RHSA-2018:1451
- REDHAT-RHSA-2018:2930
- REDHAT-RHSA-2019:1782
- REDHAT-RHSA-2019:1797
- REDHAT-RHSA-2019:2858
- REDHAT-RHSA-2019:3149
- REDHAT-RHSA-2019:3892
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.