-
Bug
-
Resolution: Done
-
Medium
-
None
-
El Alto Release
-
None
CMSO Security/Vulnerability SONATYPE- 2017-0312 jackson- databind
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDe serializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
Note: This vulnerability exists due to the incomplete fix for CVE- 2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018- 12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io /security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.
com. fasterxml.jackson. core | jackson- databind | 2.9.9 | SONATYPE- 2017-0312 | Ineffective |
- is cloned by
-
OPTFRA-624 CMSO Security/Vulnerability CVE-2019- 12384 jackson- databind
- Closed
- relates to
-
OPTFRA-641 Perform Software Composition Analysis - Vulnerability tables
- Closed
- mentioned in
-
Page Loading...