// For flags

CVE-2017-7525

jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Se ha descubierto un error de deserialización en jackson-databind, en versiones anteriores a la 2.6.7.1, 2.7.9.1 y a la 2.8.9, que podría permitir que un usuario no autenticado ejecute código enviando las entradas maliciosamente manipuladas al método readValue de ObjectMapper.

A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-04-05 CVE Reserved
  • 2017-07-31 CVE Published
  • 2022-03-28 First Exploit
  • 2024-09-17 CVE Updated
  • 2024-09-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-184: Incomplete List of Disallowed Inputs
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (62)
URL Tag Source
http://www.securityfocus.com/bid/99623 Third Party Advisory
http://www.securitytracker.com/id/1039744 Third Party Advisory
http://www.securitytracker.com/id/1039947 Third Party Advisory
http://www.securitytracker.com/id/1040360 Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-055 Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/1723 Issue Tracking
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E Mailing List
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E Mailing List
https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html Mailing List
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html Mailing List
https://security.netapp.com/advisory/ntap-20171214-0002 Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
URL Date SRC
https://access.redhat.com/errata/RHSA-2017:1834 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1835 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1836 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1837 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1839 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1840 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2477 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2546 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2547 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2633 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2635 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2636 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2637 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2638 2023-11-07
https://access.redhat.com/errata/RHSA-2017:3141 2023-11-07
https://access.redhat.com/errata/RHSA-2017:3454 2023-11-07
https://access.redhat.com/errata/RHSA-2017:3455 2023-11-07
https://access.redhat.com/errata/RHSA-2017:3456 2023-11-07
https://access.redhat.com/errata/RHSA-2017:3458 2023-11-07
https://access.redhat.com/errata/RHSA-2018:0294 2023-11-07
https://access.redhat.com/errata/RHSA-2018:0342 2023-11-07
https://access.redhat.com/errata/RHSA-2018:1449 2023-11-07
https://access.redhat.com/errata/RHSA-2018:1450 2023-11-07
https://access.redhat.com/errata/RHSA-2019:0910 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2858 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3149 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1462702 2019-10-18
https://www.debian.org/security/2017/dsa-4004 2023-11-07
https://access.redhat.com/security/cve/CVE-2017-7525 2019-10-18
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
4.1
Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Virtualization
Search vendor "Redhat" for product "Virtualization"
4.0
Search vendor "Redhat" for product "Virtualization" and version "4.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Virtualization Host
Search vendor "Redhat" for product "Virtualization Host"
4.0
Search vendor "Redhat" for product "Virtualization Host" and version "4.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.0.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.0.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.4.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.4.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.1
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.1
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.0.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
5.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
6.4.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
5.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0"
-
Safe
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
< 2.6.7.1
Search vendor "Fasterxml" for product "Jackson-databind" and version " < 2.6.7.1"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.7.0 < 2.7.9.1
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.7.0 < 2.7.9.1"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
>= 2.8.0 < 2.8.9
Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.8.0 < 2.8.9"
-
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
prerelease1
Affected
Fasterxml
Search vendor "Fasterxml"
Jackson-databind
Search vendor "Fasterxml" for product "Jackson-databind"
2.9.0
Search vendor "Fasterxml" for product "Jackson-databind" and version "2.9.0"
prerelease2
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Netapp
Search vendor "Netapp"
Oncommand Balance
Search vendor "Netapp" for product "Oncommand Balance"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Performance Manager
Search vendor "Netapp" for product "Oncommand Performance Manager"
-linux
Affected
Netapp
Search vendor "Netapp"
Oncommand Performance Manager
Search vendor "Netapp" for product "Oncommand Performance Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Oncommand Shift
Search vendor "Netapp" for product "Oncommand Shift"
--
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.5.0
Search vendor "Oracle" for product "Banking Platform" and version "2.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.0
Search vendor "Oracle" for product "Banking Platform" and version "2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.1
Search vendor "Oracle" for product "Banking Platform" and version "2.6.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.2
Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Billing And Revenue Management
Search vendor "Oracle" for product "Communications Billing And Revenue Management"
7.5
Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "7.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Billing And Revenue Management
Search vendor "Oracle" for product "Communications Billing And Revenue Management"
12.0
Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Communications Policy Management
Search vendor "Oracle" for product "Communications Communications Policy Management"
>= 12.0 <= 12.5.2
Search vendor "Oracle" for product "Communications Communications Policy Management" and version " >= 12.0 <= 12.5.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Signaling Route
Search vendor "Oracle" for product "Communications Diameter Signaling Route"
< 8.3
Search vendor "Oracle" for product "Communications Diameter Signaling Route" and version " < 8.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Instant Messaging Server
Search vendor "Oracle" for product "Communications Instant Messaging Server"
10.0.1
Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Instant Messaging Server
Search vendor "Oracle" for product "Communications Instant Messaging Server"
10.0.1.2.0
Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.2.2
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.2"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.2.3
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.2.3"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager For Virtualization
Search vendor "Oracle" for product "Enterprise Manager For Virtualization"
13.3.1
Search vendor "Oracle" for product "Enterprise Manager For Virtualization" and version "13.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.2.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.2.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.3.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.3.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.4.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.5.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.5.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.6.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.6.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
8.0.7.0.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.0.7.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Global Lifecycle Management Opatchauto
Search vendor "Oracle" for product "Global Lifecycle Management Opatchauto"
< 12.2.0.1.14
Search vendor "Oracle" for product "Global Lifecycle Management Opatchauto" and version " < 12.2.0.1.14"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
>= 17.1 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.1 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.1
Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.2
Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Utilities Advanced Spatial And Operational Analytics
Search vendor "Oracle" for product "Utilities Advanced Spatial And Operational Analytics"
2.7.0.1
Search vendor "Oracle" for product "Utilities Advanced Spatial And Operational Analytics" and version "2.7.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"
-
Affected