CVE-2017-17485 (debian_linux, e-series_santricity_os_controller, e-series_santricity_web_services_proxy, jackson-databind, jboss_enterprise_application_platform, oncommand_shift, openshift_container_platform, snapcenter)

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

View Full Alert

Leave a Reply