CyberSec.Space Logo
CVEブラウザに戻る

CVE-2017-17485

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0760%
EPSS Percentile40.02th
Published2018年1月10日
Last Modified2025年8月27日

Vulnerability Description

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Affected Platforms (CPE)

📦
Fasterxml

Jackson Databind

< 2.6.7.3
📦
Fasterxml

Jackson Databind

>= 2.7.0 and < 2.7.9.2
📦
Fasterxml

Jackson Databind

>= 2.8.0 and < 2.8.11
📦
Fasterxml

Jackson Databind

>= 2.9.0 and < 2.9.4
💻
Debian

Debian Linux

= 8.0
💻
Debian

Debian Linux

= 9.0
📦
Redhat

Jboss Enterprise Application Platform

= 6.0.0
📦
Redhat

Jboss Enterprise Application Platform

= 6.4.0
📦
Redhat

Jboss Enterprise Application Platform

= 7.1
📦
Redhat

Openshift Container Platform

= 4.1
📦
Redhat

Openshift Container Platform

= 3.11
📦
Netapp

E Series Santricity Os Controller

>= 11.0.0 and <= 11.60.3
📦
Netapp

E Series Santricity Web Services Proxy

All versions
📦
Netapp

Oncommand Shift

All versions
📦
Netapp

Snapcenter

All versions

References & Advisories

🔗 http://www.securityfocus.com/archive/1/541652/100/0/threaded
🔗 https://access.redhat.com/errata/RHSA-2018:0116
🔗 https://access.redhat.com/errata/RHSA-2018:0342
🔗 https://access.redhat.com/errata/RHSA-2018:0478
🔗 https://access.redhat.com/errata/RHSA-2018:0479
🔗 https://access.redhat.com/errata/RHSA-2018:0480
🔗 https://access.redhat.com/errata/RHSA-2018:0481
🔗 https://access.redhat.com/errata/RHSA-2018:1447

関連する脆弱性情報

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...

CVE-2018-74899.8

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code executi...

CVE-2018-147199.8

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block ...

CVE-2017-150959.8

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenti...