Vulnerability identifier: #VU9607
Vulnerability risk: High
Exploitation vector: Network
Exploit availability: No
Universal components / Libraries / Libraries used by multiple products
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in the jackson-databind development library due to improper implementation of blacklists for input handled by the ObjectMapper object readValue method. A remote unauthenticated attacker can send a malicious input and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Install update from vendor's website.
Vulnerable software versions
jackson-databind: 2.9.0, 2.8.0 - 2.8.9
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?