CVE-2017-15095

EPSS 7.41%
Veröffentlicht 06.02.2018 15:29:00
Zuletzt bearbeitet 21.11.2024 03:14:03
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 35

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fasterxml ≫ Jackson-databind Version >= 2.0.0 < 2.6.7.2

Fasterxml ≫ Jackson-databind Version >= 2.7.0 < 2.7.9.2

Fasterxml ≫ Jackson-databind Version >= 2.8.0 < 2.8.10

Fasterxml ≫ Jackson-databind Version2.9.0 Update-

Fasterxml ≫ Jackson-databind Version2.9.0 Updateprerelease1

Fasterxml ≫ Jackson-databind Version2.9.0 Updateprerelease2

Fasterxml ≫ Jackson-databind Version2.9.0 Updateprerelease3

Fasterxml ≫ Jackson-databind Version2.9.0 Updateprerelease4

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Redhat ≫ Openshift Container Platform Version3.11

Redhat ≫ Satellite Version6.4

Redhat ≫ Satellite Capsule Version6.4

Redhat ≫ Openshift Container Platform Version4.1

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.1.0

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Netapp ≫ Oncommand Balance Version-

Netapp ≫ Oncommand Performance Manager Version- SwPlatformlinux

Netapp ≫ Oncommand Performance Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Oncommand Shift Version-

Netapp ≫ Snapcenter Version-

Oracle ≫ Banking Platform Version2.5.0

Oracle ≫ Banking Platform Version2.6.0

Oracle ≫ Banking Platform Version2.6.1

Oracle ≫ Banking Platform Version2.6.2

Oracle ≫ Clusterware Version12.1.0.2.0

Oracle ≫ Communications Billing And Revenue Management Version7.5

Oracle ≫ Communications Billing And Revenue Management Version12.0

Oracle ≫ Communications Diameter Signaling Router Version < 8.3

Oracle ≫ Communications Instant Messaging Server Version10.0.1.2.0

Oracle ≫ Database Server Version12.2.0.1

Oracle ≫ Database Server Version18.1

Oracle ≫ Enterprise Manager For Virtualization Version13.2.2

Oracle ≫ Enterprise Manager For Virtualization Version13.2.3

Oracle ≫ Enterprise Manager For Virtualization Version13.3.1

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.2

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.3

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.4

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.5

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.6

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.0.7

Oracle ≫ Global Lifecycle Management Opatchauto Version < 12.2.0.1.14

Oracle ≫ Identity Manager Version11.1.2.3.0

Oracle ≫ Identity Manager Version12.2.1.3.0

Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2

Oracle ≫ Primavera Unifier Version >= 17.1 <= 17.12

Oracle ≫ Primavera Unifier Version16.1

Oracle ≫ Primavera Unifier Version16.2

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Utilities Advanced Spatial And Operational Analytics Version2.7.0.1

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.41%	0.914

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html