CVE-2017-7525
CRITICAL9.8EPSS 82.4%jackson-databind - security update
Published: 10/16/2018Modified: 4/28/2026
Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Affected packages (4)
- Debian/jackson-databindfrom 0, < 2.9.1-1
- Debian/jackson-databindfrom 0, < 2.4.2-2+deb8u1
- Debian/libjackson-json-javafrom 0, < 1.9.13-2
- Maven/com.fasterxml.jackson.core:jackson-databindfrom 0, < 2.6.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (67)
- ADVISORYhttps://github.com/advisories/GHSA-qxxx-2pp7-5hmx
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-7525
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-7525
- PATCHhttps://github.com/FasterXML/jackson-databind
- WEBhttps://access.redhat.com/errata/RHSA-2017:1834
- WEBhttps://access.redhat.com/errata/RHSA-2017:1835
- WEBhttps://access.redhat.com/errata/RHSA-2017:1836
- WEBhttps://access.redhat.com/errata/RHSA-2017:1837
- WEBhttps://access.redhat.com/errata/RHSA-2017:1839
- WEBhttps://access.redhat.com/errata/RHSA-2017:1840
- WEBhttps://access.redhat.com/errata/RHSA-2017:2477
- WEBhttps://access.redhat.com/errata/RHSA-2017:2546
- WEBhttps://access.redhat.com/errata/RHSA-2017:2547
- WEBhttps://access.redhat.com/errata/RHSA-2017:2633
- WEBhttps://access.redhat.com/errata/RHSA-2017:2635
- WEBhttps://access.redhat.com/errata/RHSA-2017:2636
- WEBhttps://access.redhat.com/errata/RHSA-2017:2637
- WEBhttps://access.redhat.com/errata/RHSA-2017:2638
- WEBhttps://access.redhat.com/errata/RHSA-2017:3141
- WEBhttps://access.redhat.com/errata/RHSA-2017:3454
- WEBhttps://access.redhat.com/errata/RHSA-2017:3455
- WEBhttps://access.redhat.com/errata/RHSA-2017:3456
- WEBhttps://access.redhat.com/errata/RHSA-2017:3458
- WEBhttps://access.redhat.com/errata/RHSA-2018:0294
- WEBhttps://access.redhat.com/errata/RHSA-2018:0342
- WEBhttps://access.redhat.com/errata/RHSA-2018:1449
- WEBhttps://access.redhat.com/errata/RHSA-2018:1450
- WEBhttps://access.redhat.com/errata/RHSA-2019:0910
- WEBhttps://access.redhat.com/errata/RHSA-2019:2858
- WEBhttps://access.redhat.com/errata/RHSA-2019:3149
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1462702
- WEBhttps://cwiki.apache.org/confluence/display/WW/S2-055
- WEBhttps://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
- WEBhttps://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
- WEBhttps://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef
- WEBhttps://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1
- WEBhttps://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415
- WEBhttps://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162
- WEBhttps://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da
- WEBhttps://github.com/FasterXML/jackson-databind/issues/1599
- WEBhttps://github.com/FasterXML/jackson-databind/issues/1723
- WEBhttps://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E
- … 17 more