Vulnerability in Fasterxml Jackson-databind
CVE-2017-7525
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method…
EPSS: 0.824 (99.2th percentile) — read the EPSS interpretation.
Affected products
- Fasterxml Jackson-databind — versions before 2.7.9.1, before 2.8.9, before 2.6.7.1
Weakness classification (CWE)
Public proof-of-concept exploits
- SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
- JavanXD/Demo-Exploit-Jackson-RCE
- Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab
- Dannners/jackson-deserialization-2017-7525
- Nazicc/S2-055
- BassinD/jackson-RCE
- BrittanyKuhn/javascript-tutorial
- CatalanCabbage/king-of-pop
- CrackerCat/myhktools
- klausware/Java-Deserialization-Cheat-Sheet
References
- 1040360 (vdb-entry, x_refsource_SECTRACK)
- RHSA-2017:1840 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2017:2547 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2017:1836 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2017:1835 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2018:1449 (x_refsource_REDHAT, vendor-advisory)
- 1039744 (vdb-entry, x_refsource_SECTRACK)
- 1039947 (vdb-entry, x_refsource_SECTRACK)
- RHSA-2017:2635 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2017:2638 (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2017-7525?
- CVE-2017-7525 is a vulnerability in Fasterxml Jackson-databind, classified under Incomplete List of Disallowed Inputs. Published 2018-02-06.
- Is CVE-2017-7525 known to be exploited?
- 83 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.