CVE-2017-17485
Published: 10 January 2018
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
From the Ubuntu Security Team
It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.
Notes
| Author | Note |
|---|---|
| msalvatore | The fix for CVE-2017-7525 has not yet been applied |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jackson-databind Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(2.9.4-1)
|
|
| cosmic |
Not vulnerable
(2.9.4-1)
|
|
| disco |
Not vulnerable
(2.9.4-1)
|
|
| eoan |
Not vulnerable
(2.9.4-1)
|
|
| focal |
Not vulnerable
(2.9.4-1)
|
|
| groovy |
Not vulnerable
(2.9.4-1)
|
|
| hirsute |
Not vulnerable
(2.9.4-1)
|
|
| impish |
Not vulnerable
(2.9.4-1)
|
|
| jammy |
Not vulnerable
(2.9.4-1)
|
|
| trusty |
Released
(2.2.2-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(2.9.4-1)
|
|
| xenial |
Released
(2.4.2-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |