CVE - CVE-2017-17485

CVE-ID
CVE-2017-17485	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20180109 CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used URL:http://www.securityfocus.com/archive/1/541652/100/0/threaded CONFIRM:https://github.com/FasterXML/jackson-databind/issues/1855 URL:https://github.com/FasterXML/jackson-databind/issues/1855 CONFIRM:https://security.netapp.com/advisory/ntap-20180201-0003/ URL:https://security.netapp.com/advisory/ntap-20180201-0003/ CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us URL:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us DEBIAN:DSA-4114 URL:https://www.debian.org/security/2018/dsa-4114 MISC:https://github.com/irsl/jackson-rce-via-spel/ URL:https://github.com/irsl/jackson-rce-via-spel/ MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html REDHAT:RHSA-2018:0116 URL:https://access.redhat.com/errata/RHSA-2018:0116 REDHAT:RHSA-2018:0342 URL:https://access.redhat.com/errata/RHSA-2018:0342 REDHAT:RHSA-2018:0478 URL:https://access.redhat.com/errata/RHSA-2018:0478 REDHAT:RHSA-2018:0479 URL:https://access.redhat.com/errata/RHSA-2018:0479 REDHAT:RHSA-2018:0480 URL:https://access.redhat.com/errata/RHSA-2018:0480 REDHAT:RHSA-2018:0481 URL:https://access.redhat.com/errata/RHSA-2018:0481 REDHAT:RHSA-2018:1447 URL:https://access.redhat.com/errata/RHSA-2018:1447 REDHAT:RHSA-2018:1448 URL:https://access.redhat.com/errata/RHSA-2018:1448 REDHAT:RHSA-2018:1449 URL:https://access.redhat.com/errata/RHSA-2018:1449 REDHAT:RHSA-2018:1450 URL:https://access.redhat.com/errata/RHSA-2018:1450 REDHAT:RHSA-2018:1451 URL:https://access.redhat.com/errata/RHSA-2018:1451 REDHAT:RHSA-2018:2930 URL:https://access.redhat.com/errata/RHSA-2018:2930 REDHAT:RHSA-2019:1782 URL:https://access.redhat.com/errata/RHSA-2019:1782 REDHAT:RHSA-2019:1797 URL:https://access.redhat.com/errata/RHSA-2019:1797 REDHAT:RHSA-2019:2858 URL:https://access.redhat.com/errata/RHSA-2019:2858 REDHAT:RHSA-2019:3149 URL:https://access.redhat.com/errata/RHSA-2019:3149 REDHAT:RHSA-2019:3892 URL:https://access.redhat.com/errata/RHSA-2019:3892
Assigning CNA
MITRE Corporation
Date Record Created
20171210	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20171210)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)