CVE-2017-7525

NameCVE-2017-7525
DescriptionA deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4004-1
NVD severityhigh (attack range: remote)
Debian Bugs870848

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)jessie (security), jessie2.4.2-2+deb8u4fixed
stretch (security), stretch2.8.6-1+deb9u4fixed
buster, sid2.9.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsource(unstable)2.9.1-1high870848
jackson-databindsourcejessie2.4.2-2+deb8u1highDSA-4004-1
jackson-databindsourcestretch2.8.6-1+deb9u1highDSA-4004-1

Notes

https://github.com/FasterXML/jackson-databind/issues/1599

Search for package or bug name: Reporting problems