Home

CVE-2017-17485

Description

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
79.787

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2018-5968,CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.9.4Windows
Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.8.11Windows
Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind 2.7.9.2Windows
Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 6.0.0Windows
Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 6.4.0Windows
Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 7.1.0Windows
Vulnerabilities CVE-2017-17485,CVE-2018-7489 are affected in Red Hat JBoss Enterprise Application Platform 7 6.4.19Windows
Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3Windows
Multiple Vulnerabilities are affected in Netapp Oncommand Shift 2.3Windows
Multiple Vulnerabilities are affected in IBM Aspera Shares 1.10.1Windows
Vulnerabilities CVE-2018-5968,CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.9.4Linux
Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.8.11Linux
Vulnerabilities CVE-2017-17485,CVE-2017-15095 are fixed in Jackson-databind for Linux 2.7.9.2Linux
Deserialization of Untrusted Data Vulnerability (CVE-2017-17485)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234