CVE-2017-15095

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0220%

EPSS Percentile11.37th

PublishedFeb 6, 2018

Last ModifiedNov 21, 2024

Vulnerability Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Affected Platforms (CPE)

📦

Fasterxml

Jackson Databind

>= 2.0.0 and < 2.6.7.2

📦

Fasterxml

Jackson Databind

>= 2.7.0 and < 2.7.9.2

📦

Fasterxml

Jackson Databind

>= 2.8.0 and < 2.8.10

📦

Fasterxml

Jackson Databind

= 2.9.0

📦

Fasterxml

Jackson Databind

= 2.9.0

📦

Fasterxml

Jackson Databind

= 2.9.0

📦

Fasterxml

Jackson Databind

= 2.9.0

📦

Fasterxml

Jackson Databind

= 2.9.0

💻

Debian

Debian Linux

= 8.0

💻

Debian

Debian Linux

= 9.0

📦

Redhat

Openshift Container Platform

= 3.11

📦

Redhat

Satellite

= 6.4

📦

Redhat

Satellite Capsule

= 6.4

📦

Redhat

Openshift Container Platform

= 4.1

📦

Redhat

Jboss Enterprise Application Platform

= 6.0.0

📦

Redhat

Jboss Enterprise Application Platform

= 6.4.0

📦

Redhat

Jboss Enterprise Application Platform

= 7.1.0

📦

Netapp

Oncommand Balance

All versions

📦

Netapp

Oncommand Performance Manager

All versions

📦

Netapp

Oncommand Performance Manager

All versions

📦

Netapp

Oncommand Shift

All versions

📦

Netapp

Snapcenter

All versions

📦

Oracle

Banking Platform

= 2.5.0

📦

Oracle

Banking Platform

= 2.6.0

📦

Oracle

Banking Platform

= 2.6.1

📦

Oracle

Banking Platform

= 2.6.2

📦

Oracle

Clusterware

= 12.1.0.2.0

📦

Oracle

Communications Billing And Revenue Management

= 7.5

📦

Oracle

Communications Billing And Revenue Management

= 12.0

📦

Oracle

Communications Diameter Signaling Router

< 8.3

📦

Oracle

Communications Instant Messaging Server

= 10.0.1.2.0

📦

Oracle

Database Server

= 12.2.0.1

📦

Oracle

Database Server

= 18.1

📦

Oracle

Enterprise Manager For Virtualization

= 13.2.2

📦

Oracle

Enterprise Manager For Virtualization

= 13.2.3

📦

Oracle

Enterprise Manager For Virtualization

= 13.3.1

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.2

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.3

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.4

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.5

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.6

📦

Oracle

Financial Services Analytical Applications Infrastructure

= 8.0.7

📦

Oracle

Global Lifecycle Management Opatchauto

< 12.2.0.1.14

📦

Oracle

Identity Manager

= 11.1.2.3.0

📦

Oracle

Identity Manager

= 12.2.1.3.0

📦

Oracle

Jd Edwards Enterpriseone Tools

= 9.2

📦

Oracle

Primavera Unifier

>= 17.1 and <= 17.12

📦

Oracle

Primavera Unifier

= 16.1

📦

Oracle

Primavera Unifier

= 16.2

📦

Oracle

Primavera Unifier

= 18.8

📦

Oracle

Utilities Advanced Spatial And Operational Analytics

= 2.7.0.1

📦

Oracle

Webcenter Portal

= 12.2.1.3.0

References & Advisories

🔗 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

🔗 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

🔗 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

🔗 http://www.securityfocus.com/bid/103880

🔗 http://www.securitytracker.com/id/1039769

🔗 https://access.redhat.com/errata/RHSA-2017:3189

🔗 https://access.redhat.com/errata/RHSA-2017:3190

🔗 https://access.redhat.com/errata/RHSA-2018:0342

Vulnerability Description

Affected Platforms (CPE)

Jackson Databind

Jackson Databind

Jackson Databind

Jackson Databind

Jackson Databind

Jackson Databind

Jackson Databind

Jackson Databind

Debian Linux

Debian Linux

Openshift Container Platform

Satellite

Satellite Capsule

Openshift Container Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Oncommand Balance

Oncommand Performance Manager

Oncommand Performance Manager

Oncommand Shift

Snapcenter

Banking Platform

Banking Platform

Banking Platform

Banking Platform

Clusterware

Communications Billing And Revenue Management

Communications Billing And Revenue Management

Communications Diameter Signaling Router

Communications Instant Messaging Server

Database Server

Database Server

Enterprise Manager For Virtualization

Enterprise Manager For Virtualization

Enterprise Manager For Virtualization

Financial Services Analytical Applications Infrastructure

Financial Services Analytical Applications Infrastructure

Financial Services Analytical Applications Infrastructure

Financial Services Analytical Applications Infrastructure

Financial Services Analytical Applications Infrastructure

Financial Services Analytical Applications Infrastructure

Global Lifecycle Management Opatchauto

Identity Manager

Identity Manager

Jd Edwards Enterpriseone Tools

Primavera Unifier

Primavera Unifier

Primavera Unifier

Primavera Unifier

Utilities Advanced Spatial And Operational Analytics

Webcenter Portal

References & Advisories

Related Vulnerabilities