CVE-2017-7525

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

References

Link	Tags
http://www.securitytracker.com/id/1040360	vdb entry third party advisory
https://access.redhat.com/errata/RHSA-2017:1840	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2547	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:1836	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:1835	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:1449	third party advisory vendor advisory
http://www.securitytracker.com/id/1039744	vdb entry third party advisory
http://www.securitytracker.com/id/1039947	vdb entry third party advisory
https://access.redhat.com/errata/RHSA-2017:2635	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2638	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:1450	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3458	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0294	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:1837	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:1834	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2546	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2636	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3455	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2477	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3456	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0342	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:1839	third party advisory vendor advisory
http://www.securityfocus.com/bid/99623	vdb entry third party advisory
https://access.redhat.com/errata/RHSA-2017:2637	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3454	third party advisory vendor advisory
https://www.debian.org/security/2017/dsa-4004	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3141	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2633	third party advisory vendor advisory
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E	mailing list
https://access.redhat.com/errata/RHSA-2019:0910	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:2858	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:3149	third party advisory vendor advisory
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E	mailing list
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E	mailing list
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E	mailing list
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E	mailing list
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html	third party advisory mailing list
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	third party advisory patch
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	third party advisory patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	third party advisory patch
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	third party advisory patch
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	third party advisory patch
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	third party advisory patch
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html	third party advisory mailing list
https://www.oracle.com/security-alerts/cpuoct2020.html	third party advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us	third party advisory
https://github.com/FasterXML/jackson-databind/issues/1723	issue tracking third party advisory
https://github.com/FasterXML/jackson-databind/issues/1599	issue tracking third party advisory patch
https://bugzilla.redhat.com/show_bug.cgi?id=1462702	issue tracking third party advisory
https://security.netapp.com/advisory/ntap-20171214-0002/	third party advisory
https://cwiki.apache.org/confluence/display/WW/S2-055	third party advisory
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E	mailing list

Frequently Asked Questions

What is the severity of CVE-2017-7525?: CVE-2017-7525 has been scored as a critical severity vulnerability.
How to fix CVE-2017-7525?: To fix CVE-2017-7525, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-7525 being actively exploited in the wild?: It is possible that CVE-2017-7525 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~78% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-7525?: CVE-2017-7525 affects FasterXML jackson-databind.

Description

Categories

CWE-184 – Incomplete List of Disallowed Inputs

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions