CVE-2017-7525

NameCVE-2017-7525
DescriptionA deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2091-1, DLA-2342-1, DSA-4004-1
Debian Bugs870848

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)buster2.9.8-3+deb10u3fixed
buster (security)2.9.8-3+deb10u5fixed
bullseye (security), bullseye2.12.1-1+deb11u1fixed
sid, trixie, bookworm2.14.0-1fixed
libjackson-json-java (PTS)buster1.9.13-2~deb10u1fixed
sid, trixie, bookworm, bullseye1.9.13-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcejessie2.4.2-2+deb8u1DSA-4004-1
jackson-databindsourcestretch2.8.6-1+deb9u1DSA-4004-1
jackson-databindsource(unstable)2.9.1-1870848
libjackson-json-javasourcejessie1.9.2-3+deb8u1DLA-2091-1
libjackson-json-javasourcestretch1.9.2-8+deb9u1DLA-2342-1
libjackson-json-javasourcebuster1.9.13-2~deb10u1
libjackson-json-javasource(unstable)1.9.13-2

Notes

https://github.com/FasterXML/jackson-databind/issues/1599
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31

Search for package or bug name: Reporting problems