CVE-2017-15095
Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
9.261
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in Oracle 12.2.0.1 | Windows |
| Multiple vulnerabilities are fixed in Jackson-databind 2.6.7.3 | Windows |
| Vulnerabilities CVE-2018-5968,CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.9.4 | Windows |
| Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.8.11 | Windows |
| Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.7.9.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0.12.0 | Windows |
| Vulnerabilities CVE-2017-15095,CVE-2025-21556,CVE-2025-21560,CVE-2025-21564,CVE-2025-21565 are affected in Oracle Agile PLM Framework 9.3.6 | Windows |
| Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 6.0.0 | Windows |
| Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 6.4.0 | Windows |
| Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 7.1.0 | Windows |
| Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Balance 2.3 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Shift 2.3 | Windows |
| Vulnerabilities CVE-2017-15095,CVE-2018-2939 are affected in Oracle 18.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Aspera Shares 1.10.1 | Windows |
| Suite of data-processing tools for Java (USN-4741-1) libjackson-json-java_1.9.2-7ubuntu0.2_all.deb | Linux |
| Multiple vulnerabilities are fixed in Jackson-databind for Linux 2.6.7.3 | Linux |
| Vulnerabilities CVE-2018-5968,CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.9.4 | Linux |
| Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.8.11 | Linux |
| Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.7.9.2 | Linux |
| Deserialization of Untrusted Data Vulnerability (CVE-2017-15095) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234