|Description||A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
|References||DLA-2091-1, DLA-2342-1, DSA-4037-1|
Vulnerable and fixed packages
The table below lists information on source packages.
|bullseye (security), bullseye||2.12.1-1+deb11u1||fixed|
|bookworm, sid, trixie||2.14.0-1||fixed|
|bookworm, bullseye, sid, trixie||1.9.13-2||fixed|
The information below is based on the following data on fixed versions.
The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
misses the further sets of blacklists, in particular as well
which was already for CVE-2017-7525 but then the further tickets and patches
to block more dangerous types (at leas they are):
This CVE-2017-15095 should be considered to include everything in
NO_DESER_CLASS_NAMES as of: