CVE - CVE-2017-7525

CVE-ID
CVE-2017-7525	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:99623 URL:http://www.securityfocus.com/bid/99623 CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html URL:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html URL:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html URL:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1462702 URL:https://bugzilla.redhat.com/show_bug.cgi?id=1462702 CONFIRM:https://cwiki.apache.org/confluence/display/WW/S2-055 URL:https://cwiki.apache.org/confluence/display/WW/S2-055 CONFIRM:https://github.com/FasterXML/jackson-databind/issues/1599 URL:https://github.com/FasterXML/jackson-databind/issues/1599 CONFIRM:https://github.com/FasterXML/jackson-databind/issues/1723 URL:https://github.com/FasterXML/jackson-databind/issues/1723 CONFIRM:https://security.netapp.com/advisory/ntap-20171214-0002/ URL:https://security.netapp.com/advisory/ntap-20171214-0002/ CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us URL:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us CONFIRM:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html URL:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html DEBIAN:DSA-4004 URL:https://www.debian.org/security/2017/dsa-4004 MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html URL:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html URL:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MLIST:[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 URL:https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E MLIST:[cassandra-commits] 20210927 [jira] [Commented] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 URL:https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E MLIST:[cassandra-commits] 20210927 [jira] [Updated] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4 URL:https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E MLIST:[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update URL:https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html MLIST:[debian-lts-announce] 20200824 [SECURITY] [DLA 2342-1] libjackson-json-java security update URL:https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html MLIST:[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities URL:https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E MLIST:[lucene-dev] 20190325 [jira] [Assigned] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... URL:https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E MLIST:[lucene-dev] 20190325 [jira] [Closed] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... URL:https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E MLIST:[lucene-dev] 20190325 [jira] [Resolved] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... URL:https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E MLIST:[lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... URL:https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E MLIST:[lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ... URL:https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E MLIST:[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report URL:https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E MLIST:[lucene-solr-user] 20191218 CVE-2017-7525 fix for Solr 7.7.x URL:https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E MLIST:[lucene-solr-user] 20191218 Re: CVE-2017-7525 fix for Solr 7.7.x URL:https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E MLIST:[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x URL:https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E MLIST:[spark-issues] 20210223 [jira] [Created] (SPARK-34511) Current Security vulnerabilities in spark libraries URL:https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E REDHAT:RHSA-2017:1834 URL:https://access.redhat.com/errata/RHSA-2017:1834 REDHAT:RHSA-2017:1835 URL:https://access.redhat.com/errata/RHSA-2017:1835 REDHAT:RHSA-2017:1836 URL:https://access.redhat.com/errata/RHSA-2017:1836 REDHAT:RHSA-2017:1837 URL:https://access.redhat.com/errata/RHSA-2017:1837 REDHAT:RHSA-2017:1839 URL:https://access.redhat.com/errata/RHSA-2017:1839 REDHAT:RHSA-2017:1840 URL:https://access.redhat.com/errata/RHSA-2017:1840 REDHAT:RHSA-2017:2477 URL:https://access.redhat.com/errata/RHSA-2017:2477 REDHAT:RHSA-2017:2546 URL:https://access.redhat.com/errata/RHSA-2017:2546 REDHAT:RHSA-2017:2547 URL:https://access.redhat.com/errata/RHSA-2017:2547 REDHAT:RHSA-2017:2633 URL:https://access.redhat.com/errata/RHSA-2017:2633 REDHAT:RHSA-2017:2635 URL:https://access.redhat.com/errata/RHSA-2017:2635 REDHAT:RHSA-2017:2636 URL:https://access.redhat.com/errata/RHSA-2017:2636 REDHAT:RHSA-2017:2637 URL:https://access.redhat.com/errata/RHSA-2017:2637 REDHAT:RHSA-2017:2638 URL:https://access.redhat.com/errata/RHSA-2017:2638 REDHAT:RHSA-2017:3141 URL:https://access.redhat.com/errata/RHSA-2017:3141 REDHAT:RHSA-2017:3454 URL:https://access.redhat.com/errata/RHSA-2017:3454 REDHAT:RHSA-2017:3455 URL:https://access.redhat.com/errata/RHSA-2017:3455 REDHAT:RHSA-2017:3456 URL:https://access.redhat.com/errata/RHSA-2017:3456 REDHAT:RHSA-2017:3458 URL:https://access.redhat.com/errata/RHSA-2017:3458 REDHAT:RHSA-2018:0294 URL:https://access.redhat.com/errata/RHSA-2018:0294 REDHAT:RHSA-2018:0342 URL:https://access.redhat.com/errata/RHSA-2018:0342 REDHAT:RHSA-2018:1449 URL:https://access.redhat.com/errata/RHSA-2018:1449 REDHAT:RHSA-2018:1450 URL:https://access.redhat.com/errata/RHSA-2018:1450 REDHAT:RHSA-2019:0910 URL:https://access.redhat.com/errata/RHSA-2019:0910 REDHAT:RHSA-2019:2858 URL:https://access.redhat.com/errata/RHSA-2019:2858 REDHAT:RHSA-2019:3149 URL:https://access.redhat.com/errata/RHSA-2019:3149 SECTRACK:1039744 URL:http://www.securitytracker.com/id/1039744 SECTRACK:1039947 URL:http://www.securitytracker.com/id/1039947 SECTRACK:1040360 URL:http://www.securitytracker.com/id/1040360
Assigning CNA
Red Hat, Inc.
Date Record Created
20170405	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20170405)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)