Remote code execution in FasterXML jackson-databind



Published: 2017-12-12
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-17485
CWE-ID CWE-502
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Deserialization of untrusted data

EUVDB-ID: #VU10257

Risk: High

CVSSv3.1:

CVE-ID: CVE-2017-17485

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the FasterXML jackson-databind library due to improper validation of user-input handled by the readValue method of the ObjectMapper object. A remote attacker can send malicious input to the vulnerable method of a web application that uses the Spring library in the application's classpath and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

The vulnerability is addressed in the following versions: 2.7.9.2 and 2.8.11.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.10, 2.7.9 - 2.7.9.1, 2.9.0 - 2.9.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/1855

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###