Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-7525

Disclosure Date: February 06, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • fasterxml,
  • netapp,
  • oracle,
  • redhat

Products

  • banking platform 2.5.0,
  • banking platform 2.6.0,
  • banking platform 2.6.1,
  • banking platform 2.6.2,
  • communications billing and revenue management 12.0,
  • communications billing and revenue management 7.5,
  • communications communications policy management,
  • communications diameter signaling route,
  • communications instant messaging server 10.0.1,
  • communications instant messaging server 10.0.1.2.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • enterprise manager for virtualization 13.2.2,
  • enterprise manager for virtualization 13.2.3,
  • enterprise manager for virtualization 13.3.1,
  • financial services analytical applications infrastructure 8.0.2.0.0,
  • financial services analytical applications infrastructure 8.0.3.0.0,
  • financial services analytical applications infrastructure 8.0.4.0.0,
  • financial services analytical applications infrastructure 8.0.5.0.0,
  • financial services analytical applications infrastructure 8.0.6.0.0,
  • financial services analytical applications infrastructure 8.0.7.0.0,
  • global lifecycle management opatchauto,
  • jackson-databind,
  • jackson-databind 2.9.0,
  • jboss enterprise application platform 6.0.0,
  • jboss enterprise application platform 6.4.0,
  • jboss enterprise application platform 7.0,
  • jboss enterprise application platform 7.1,
  • oncommand balance -,
  • oncommand performance manager -,
  • oncommand shift -,
  • openshift container platform 3.11,
  • openshift container platform 4.1,
  • primavera unifier,
  • primavera unifier 16.1,
  • primavera unifier 16.2,
  • primavera unifier 18.8,
  • snapcenter -,
  • utilities advanced spatial and operational analytics 2.7.0.1,
  • virtualization 4.0,
  • virtualization host 4.0,
  • webcenter portal 12.2.1.3.0

References

Advisory

Additional Info

Technical Analysis