Vulnerability identifier: #VU17777
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
The disclosed vulnerability allows a remote attacker to perform XXE attacks.
The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system.
Update to version 2.9.7.
Vulnerable software versions
jackson-databind: 2.9.0 - 2.9.6
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?