CVE-2017-17485

CVE-2017-17485

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Published Jan 17, 2018

adamcaudill.com Issue #1855 blog.sonatype.com blog.sonatype.com

CVSS ScoreCritical

9.8

Vulnerabilities

CVE-2017-17485

Published Jan 17, 2018

adamcaudill.com Issue #1855 blog.sonatype.com blog.sonatype.com

CVSS ScoreCritical

9.8

CVE-2017-17485 Security Details

CVE ID: CVE-2017-17485
CWE: CWE-502
CVE Description: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Published: Jan 17, 2018
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 84.949%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVM
com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: adamcaudill.comATTACK
GitHub · Issue #1855PROJECT
blog.sonatype.comTHIRD_PARTY
blog.sonatype.comTHIRD_PARTY

CVE-2017-17485 Security Details

CVE ID: CVE-2017-17485
CWE: CWE-502
CVE Description: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Published: Jan 17, 2018
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 84.949%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVM
com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.createBeanDeserializer(Lcom/fasterxml/jackson/databind/DeserializationContext;Lcom/fasterxml/jackson/databind/JavaType;Lcom/fasterxml/jackson/databind/BeanDescription;)Lcom/fasterxml/jackson/databind/JsonDeserializer;
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: adamcaudill.comATTACK
GitHub · Issue #1855PROJECT
blog.sonatype.comTHIRD_PARTY
blog.sonatype.comTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2017-17485

CVE-2017-17485 Security Details

CVE-2017-17485 Security Details