Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Remediation

References

https://github.com/FasterXML/jackson-databind/issues/1737

https://github.com/FasterXML/jackson-databind/issues/1680

https://www.debian.org/security/2017/dsa-4037

https://security.netapp.com/advisory/ntap-20171214-0003/

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2017:3189

http://www.securitytracker.com/id/1039769

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0478

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:0576

http://www.securityfocus.com/bid/103880

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1448

https://access.redhat.com/errata/RHSA-2018:1447

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://access.redhat.com/errata/RHSA-2018:2927

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

Related Vulnerabilities

CVE-2023-22457 Vulnerability in maven package org.xwiki.contrib:application-ckeditor-plugins

CVE-2022-1243 Vulnerability in maven package org.webjars.npm:urijs

CVE-2023-29512 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2020-14966 Vulnerability in npm package jsrsasign

CVE-2021-22204 Vulnerability in npm package exiftool-vendored

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory VDB Entry Mailing List