CVE-2017-7525
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
- Published date
- 2018-02-06T15:29Z
- Last modification date
- 2023-06-08T17:57Z
- Assigner
- secalert@redhat.com
- Problem type
- CWE-184
Impact
- CVSS v3 vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Name | URL | Source | Tags |
|---|---|---|---|
| https://github.com/FasterXML/jackson-databind/issues/1599 | https://github.com/FasterXML/jackson-databind/issues/1599 | CONFIRM | Issue Tracking, Patch, Third Party Advisory |
| https://github.com/FasterXML/jackson-databind/issues/1723 | https://github.com/FasterXML/jackson-databind/issues/1723 | CONFIRM | Issue Tracking, Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1462702 | https://bugzilla.redhat.com/show_bug.cgi?id=1462702 | CONFIRM | Issue Tracking, Third Party Advisory |
| DSA-4004 | https://www.debian.org/security/2017/dsa-4004 | DEBIAN | Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20171214-0002/ | https://security.netapp.com/advisory/ntap-20171214-0002/ | CONFIRM | Third Party Advisory |
| RHSA-2017:3458 | https://access.redhat.com/errata/RHSA-2017:3458 | REDHAT | Third Party Advisory |
| RHSA-2017:3456 | https://access.redhat.com/errata/RHSA-2017:3456 | REDHAT | Third Party Advisory |
| RHSA-2017:3455 | https://access.redhat.com/errata/RHSA-2017:3455 | REDHAT | Third Party Advisory |
| RHSA-2017:3454 | https://access.redhat.com/errata/RHSA-2017:3454 | REDHAT | Third Party Advisory |
| RHSA-2017:3141 | https://access.redhat.com/errata/RHSA-2017:3141 | REDHAT | Third Party Advisory |
| RHSA-2017:2638 | https://access.redhat.com/errata/RHSA-2017:2638 | REDHAT | Third Party Advisory |
| RHSA-2017:2637 | https://access.redhat.com/errata/RHSA-2017:2637 | REDHAT | Third Party Advisory |
| RHSA-2017:2636 | https://access.redhat.com/errata/RHSA-2017:2636 | REDHAT | Third Party Advisory |
| RHSA-2017:2635 | https://access.redhat.com/errata/RHSA-2017:2635 | REDHAT | Third Party Advisory |
| RHSA-2017:2633 | https://access.redhat.com/errata/RHSA-2017:2633 | REDHAT | Third Party Advisory |
| RHSA-2017:2547 | https://access.redhat.com/errata/RHSA-2017:2547 | REDHAT | Third Party Advisory |
| RHSA-2017:2546 | https://access.redhat.com/errata/RHSA-2017:2546 | REDHAT | Third Party Advisory |
| RHSA-2017:2477 | https://access.redhat.com/errata/RHSA-2017:2477 | REDHAT | Third Party Advisory |
| RHSA-2017:1840 | https://access.redhat.com/errata/RHSA-2017:1840 | REDHAT | Third Party Advisory |
| RHSA-2017:1839 | https://access.redhat.com/errata/RHSA-2017:1839 | REDHAT | Third Party Advisory |
| RHSA-2017:1837 | https://access.redhat.com/errata/RHSA-2017:1837 | REDHAT | Third Party Advisory |
| RHSA-2017:1836 | https://access.redhat.com/errata/RHSA-2017:1836 | REDHAT | Third Party Advisory |
| RHSA-2017:1835 | https://access.redhat.com/errata/RHSA-2017:1835 | REDHAT | Third Party Advisory |
| RHSA-2017:1834 | https://access.redhat.com/errata/RHSA-2017:1834 | REDHAT | Third Party Advisory |
| 1039947 | http://www.securitytracker.com/id/1039947 | SECTRACK | Third Party Advisory, VDB Entry |
| 1039744 | http://www.securitytracker.com/id/1039744 | SECTRACK | Third Party Advisory, VDB Entry |
| 99623 | http://www.securityfocus.com/bid/99623 | BID | Third Party Advisory, VDB Entry |
| https://cwiki.apache.org/confluence/display/WW/S2-055 | https://cwiki.apache.org/confluence/display/WW/S2-055 | CONFIRM | Third Party Advisory |
| RHSA-2018:0294 | https://access.redhat.com/errata/RHSA-2018:0294 | REDHAT | Third Party Advisory |
| 1040360 | http://www.securitytracker.com/id/1040360 | SECTRACK | Third Party Advisory, VDB Entry |
| RHSA-2018:0342 | https://access.redhat.com/errata/RHSA-2018:0342 | REDHAT | Third Party Advisory |
| http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | CONFIRM | Patch, Third Party Advisory |
| RHSA-2018:1450 | https://access.redhat.com/errata/RHSA-2018:1450 | REDHAT | Third Party Advisory |
| RHSA-2018:1449 | https://access.redhat.com/errata/RHSA-2018:1449 | REDHAT | Third Party Advisory |
| http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | CONFIRM | Patch, Third Party Advisory |
| https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us | https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us | CONFIRM | Third Party Advisory |
| http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | CONFIRM | Patch, Third Party Advisory |
| https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | CONFIRM | Patch, Third Party Advisory |
| [lucene-dev] 20190325 [jira] [Closed] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... | https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-dev] 20190325 [jira] [Assigned] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... | https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-dev] 20190325 [jira] [Resolved] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... | https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... | https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... | https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html | MISC | Patch, Third Party Advisory |
| RHSA-2019:0910 | https://access.redhat.com/errata/RHSA-2019:0910 | REDHAT | Third Party Advisory |
| https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | MISC | Patch, Third Party Advisory |
| RHSA-2019:2858 | https://access.redhat.com/errata/RHSA-2019:2858 | REDHAT | Third Party Advisory |
| RHSA-2019:3149 | https://access.redhat.com/errata/RHSA-2019:3149 | REDHAT | Third Party Advisory |
| [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report | https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 | https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities | https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-solr-user] 20191218 CVE-2017-7525 fix for Solr 7.7.x | https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-solr-user] 20191218 Re: CVE-2017-7525 fix for Solr 7.7.x | https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x | https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update | https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html | MLIST | Mailing List, Third Party Advisory |
| [debian-lts-announce] 20200824 [SECURITY] [DLA 2342-1] libjackson-json-java security update | https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html | MLIST | Mailing List, Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuoct2020.html | https://www.oracle.com/security-alerts/cpuoct2020.html | MISC | Third Party Advisory |
| [spark-issues] 20210223 [jira] [Created] (SPARK-34511) Current Security vulnerabilities in spark libraries | https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [cassandra-commits] 20210927 [jira] [Commented] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 | https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E | MLIST | Mailing List, Third Party Advisory |
| [cassandra-commits] 20210927 [jira] [Updated] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 | https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E | MLIST | Mailing List, Third Party Advisory |