Vulnerability in Fasterxml Jackson-databind
CVE-2017-15095
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the…
EPSS: 0.079 (92.2th percentile) — read the EPSS interpretation.
Affected products
- Fasterxml Jackson-databind — versions before 2.9.1, before 2.8.10
Weakness classification (CWE)
Public proof-of-concept exploits
- ARPSyndicate/cvemon
- AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
- BrittanyKuhn/javascript-tutorial
- GrrrDog/Java-Deserialization-Cheat-Sheet
- InternalBenchmarkDebricked/ependency-demo-reachability-test-no-cache
- Live-Hack-CVE/CVE-2017-15095
- NetW0rK1le3r/awesome-hacking-lists
- OWASP/www-project-ide-vulscanner
- PalindromeLabs/Java-Deserialization-CVEs
- SecureSkyTechnology/study-struts2-s2-054_
References
- RHSA-2018:1448 (x_refsource_REDHAT, vendor-advisory)
- 103880 (vdb-entry, x_refsource_BID)
- RHSA-2018:0479 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:0481 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:1449 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:1450 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:0577 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:0576 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2017:3190 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:1451 (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2017-15095?
- CVE-2017-15095 is a vulnerability in Fasterxml Jackson-databind, classified under Incomplete List of Disallowed Inputs. Published 2018-02-06.
- Is CVE-2017-15095 known to be exploited?
- 25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.