CyberSec.Space Logo
Back to CVE Browser

CVE-2017-17485

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0760%
EPSS Percentile40.02th
PublishedJan 10, 2018
Last ModifiedAug 27, 2025

Vulnerability Description

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Affected Platforms (CPE)

πŸ“¦
Fasterxml

Jackson Databind

< 2.6.7.3
πŸ“¦
Fasterxml

Jackson Databind

>= 2.7.0 and < 2.7.9.2
πŸ“¦
Fasterxml

Jackson Databind

>= 2.8.0 and < 2.8.11
πŸ“¦
Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.4
πŸ’»
Debian

Debian Linux

= 8.0
πŸ’»
Debian

Debian Linux

= 9.0
πŸ“¦
Redhat

Jboss Enterprise Application Platform

= 6.0.0
πŸ“¦
Redhat

Jboss Enterprise Application Platform

= 6.4.0
πŸ“¦
Redhat

Jboss Enterprise Application Platform

= 7.1
πŸ“¦
Redhat

Openshift Container Platform

= 4.1
πŸ“¦
Redhat

Openshift Container Platform

= 3.11
πŸ“¦
Netapp

E Series Santricity Os Controller

>= 11.0.0 and <= 11.60.3
πŸ“¦
Netapp

E Series Santricity Web Services Proxy

All versions
πŸ“¦
Netapp

Oncommand Shift

All versions
πŸ“¦
Netapp

Snapcenter

All versions

References & Advisories

πŸ”— http://www.securityfocus.com/archive/1/541652/100/0/threaded
πŸ”— https://access.redhat.com/errata/RHSA-2018:0116
πŸ”— https://access.redhat.com/errata/RHSA-2018:0342
πŸ”— https://access.redhat.com/errata/RHSA-2018:0478
πŸ”— https://access.redhat.com/errata/RHSA-2018:0479
πŸ”— https://access.redhat.com/errata/RHSA-2018:0480
πŸ”— https://access.redhat.com/errata/RHSA-2018:0481
πŸ”— https://access.redhat.com/errata/RHSA-2018:1447

Related Vulnerabilities

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...

CVE-2018-74899.8

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code executi...

CVE-2018-147199.8

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block ...

CVE-2017-150959.8

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenti...