Attacker Value
Unknown
CVE-2017-15095
CVE-2017-15095
(Last updated November 08, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- debian,
- fasterxml,
- netapp,
- oracle,
- redhat
Products
- banking platform 2.5.0,
- banking platform 2.6.0,
- banking platform 2.6.1,
- banking platform 2.6.2,
- clusterware 12.1.0.2.0,
- communications billing and revenue management 12.0,
- communications billing and revenue management 7.5,
- communications diameter signaling router,
- communications instant messaging server 10.0.1.2.0,
- database server 12.2.0.1,
- database server 18.1,
- debian linux 8.0,
- debian linux 9.0,
- enterprise manager for virtualization 13.2.2,
- enterprise manager for virtualization 13.2.3,
- enterprise manager for virtualization 13.3.1,
- financial services analytical applications infrastructure 8.0.2,
- financial services analytical applications infrastructure 8.0.3,
- financial services analytical applications infrastructure 8.0.4,
- financial services analytical applications infrastructure 8.0.5,
- financial services analytical applications infrastructure 8.0.6,
- financial services analytical applications infrastructure 8.0.7,
- global lifecycle management opatchauto,
- identity manager 11.1.2.3.0,
- identity manager 12.2.1.3.0,
- jackson-databind,
- jackson-databind 2.9.0,
- jboss enterprise application platform 6.0.0,
- jboss enterprise application platform 6.4.0,
- jboss enterprise application platform 7.1.0,
- jd edwards enterpriseone tools 9.2,
- oncommand balance -,
- oncommand performance manager -,
- oncommand shift -,
- openshift container platform 3.11,
- openshift container platform 4.1,
- primavera unifier,
- primavera unifier 16.1,
- primavera unifier 16.2,
- primavera unifier 18.8,
- satellite 6.4,
- satellite capsule 6.4,
- snapcenter -,
- utilities advanced spatial and operational analytics 2.7.0.1,
- webcenter portal 12.2.1.3.0
References
Advisory
