Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2017-15095

Published: 06/02/2018 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Jackson-databind

Vulnerability Summary

A deserialization flaw exists in the jackson-databind in versions prior to 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fasterxml jackson-databind

fasterxml jackson-databind 2.9.0

debian debian linux 8.0

debian debian linux 9.0

redhat openshift container platform 3.11

redhat satellite 6.4

redhat satellite capsule 6.4

redhat openshift_container_platform 4.1

redhat jboss_enterprise_application_platform 6.0.0

redhat jboss_enterprise_application_platform 6.4.0

redhat jboss_enterprise_application_platform 7.1.0

netapp oncommand balance -

netapp snapcenter -

netapp oncommand shift -

netapp oncommand performance manager -

oracle primavera unifier 16.2

oracle identity manager 11.1.2.3.0

oracle jd edwards enterpriseone tools 9.2

oracle banking platform 2.5.0

oracle primavera unifier 16.1

oracle webcenter portal 12.2.1.3.0

oracle database server 12.2.0.1

oracle database server 18.1

oracle identity manager 12.2.1.3.0

oracle primavera unifier

oracle communications diameter signaling router

oracle communications billing and revenue management 7.5

oracle communications billing and revenue management 12.0

oracle financial services analytical applications infrastructure 8.0.2

oracle financial services analytical applications infrastructure 8.0.3

oracle financial services analytical applications infrastructure 8.0.4

oracle financial services analytical applications infrastructure 8.0.5

oracle financial services analytical applications infrastructure 8.0.6

oracle financial services analytical applications infrastructure 8.0.7

oracle banking platform 2.6.0

oracle banking platform 2.6.1

oracle banking platform 2.6.2

oracle enterprise manager for virtualization 13.2.2

oracle enterprise manager for virtualization 13.2.3

oracle enterprise manager for virtualization 13.3.1

oracle primavera unifier 18.8

oracle clusterware 12.1.0.2.0

oracle utilities advanced spatial and operational analytics 2.7.0.1

oracle communications instant messaging server 10.0.1.2.0

oracle global lifecycle management opatchauto

Vendor Advisories

Red Hat: Important: Red Hat JBoss BRMS 6.4.12 security update
Synopsis Important: Red Hat JBoss BRMS 6412 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss BRMSRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Red Hat: Important: jboss-ec2-eap package for EAP 7.1.1
Synopsis Important: jboss-ec2-eap package for EAP 711 Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 711 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 711 for Red Ha ...
Red Hat: Important: Red Hat JBoss BPM Suite 6.4.9 security update
Synopsis Important: Red Hat JBoss BPM Suite 649 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss BPM SuiteRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base ...
Red Hat: Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6
Synopsis Important: JBoss Enterprise Application Platform 711 on RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impac ...
Red Hat: Important: Satellite 6.4 security, bug fix, and enhancement update
Synopsis Important: Satellite 64 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Satellite 64 for RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: rh-eclipse46-jackson-databind security update
Synopsis Important: rh-eclipse46-jackson-databind security update Type/Severity Security Advisory: Important Topic An update for rh-eclipse46-jackson-databind is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common V ...
Red Hat: Important: JBoss Enterprise Application Platform 7.1.1 for RHEL 7
Synopsis Important: JBoss Enterprise Application Platform 711 for RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impa ...
Red Hat: Important: Red Hat JBoss BRMS 6.4.9 security update
Synopsis Important: Red Hat JBoss BRMS 649 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss BRMSRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, wh ...
Red Hat: Important: OpenShift Container Platform logging-elasticsearch5-container security update
Synopsis Important: OpenShift Container Platform logging-elasticsearch5-container security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as h ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Red Hat: Important: rh-maven35-jackson-databind security update
Synopsis Important: rh-maven35-jackson-databind security update Type/Severity Security Advisory: Important Topic An update for rh-maven35-jackson-databind is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.1 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 711 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: Important: Red Hat Fuse 7.5.0 security update
Synopsis Important: Red Hat Fuse 750 security update Type/Severity Security Advisory: Important Topic A minor version update (from 74 to 75) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
Red Hat: Important: eap6-jboss-ec2-eap security update
Synopsis Important: eap6-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for jboss-ec2-eap is now available for Red Hat JBoss EnterpriseApplication Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform6420, fixes several bugs, and adds various enhancements are now available from the Red Hat Cu ...
Red Hat: Important: Red Hat JBoss BPM Suite 6.4.12 security update
Synopsis Important: Red Hat JBoss BPM Suite 6412 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss BPM SuiteRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Red Hat: Important: Red Hat JBoss Operations Network 3.3.11 security and bug fix update
Synopsis Important: Red Hat JBoss Operations Network 3311 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Operations NetworkRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabi ...
Red Hat: Important: rh-eclipse46-jackson-databind security update
Synopsis Important: rh-eclipse46-jackson-databind security update Type/Severity Security Advisory: Important Topic An update for rh-eclipse46-jackson-databind is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common V ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: Important: rh-eclipse47-jackson-databind security update
Synopsis Important: rh-eclipse47-jackson-databind security update Type/Severity Security Advisory: Important Topic An update for rh-eclipse47-jackson-databind is now available for Red Hat Developer ToolsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulner ...
Red Hat: Important: OpenShift Container Platform 4.1.18 logging-elasticsearch5 security update
Synopsis Important: OpenShift Container Platform 4118 logging-elasticsearch5 security update Type/Severity Security Advisory: Important Topic An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as havin ...
Red Hat: CVE-2017-15095
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Common Services
Multiple vulnerabilities have been found in Hitachi Ops Center Common Services CVE-2017-7525, CVE-2017-15095, CVE-2020-14389, CVE-2020-25694, CVE-2020-25695, CVE-2020-25696, CVE-2020-35490, CVE-2020-35491 Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Github Repositories

https://github.com/dashpradeep99/aws-sdk-java-code

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/surajbabar/dependency-demo-app

Demo project to show different ways of fixing vulnerabilities found in Maven based java project.

dependency-demo-app Demo project to show different ways of fixing vulnerabilities found in Maven based java project Run Dependency check with following Command mvn orgowasp:dependency-check-maven:check The result will be generated at target/dependency-check-reporthtml Different kinds of vulnerabilities and ways to fix them Vulnerability Category Vulnerable dependenc

https://github.com/jaroslawZawila/vulnerable-play

Vulnerable Play application The point for this repo is to show how easy is to do XXE attack on old version of the framework Steps Step 1 Run the app sbt run Step 2 Create a service to serve malicious content ruby -rwebrick -e'WEBrick::HTTPServernew(:Port => 8000, :DocumentRoot => Dirpwd)start' Step 3 Create malicious input as file testdtd <!

https://github.com/dashpradeep99/https-github.com-aws-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/maddoudou22/repo-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/cf-testorg/aws-sdk-java-test

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Note: A version 2x of th

https://github.com/maddoudou22/test-aws-sdk-java-B

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/maddoudou22/test-aws-sdk-java

AWS SDK for Java The AWS SDK for Java enables Java developers to easily work with Amazon Web Services and build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more You can get started in minutes using Maven or by downloading a single zip file SDK Homepage API Docs Developer Guide (source) Forum Issues SDK Blog Getting Help Release Notes Beginning w

https://github.com/singhkranjan/vulnapp

vulnerable application

dependency-demo-app Demo project to show different ways of fixing vulnerabilities found in Maven based java project Run Dependency check with following Command mvn orgowasp:dependency-check-maven:check The result will be generated at target/dependency-check-reporthtml Different kinds of vulnerabilities and ways to fix them Vulnerability Category Vulnerable dependenc

https://github.com/seecode-audit/clocwalk

Project code and dependent component analysis tools.

clocwalk Project code and dependent component analysis tools Dependent installation npm install -g cloc # wwwnpmjscom/package/cloc sudo apt install cloc # Debian, Ubuntu sudo yum install cloc # Red Hat, Fedora sudo dnf install cloc # Fedora 22 or later sudo pacman -S cloc

References

CWE-502https://github.com/FasterXML/jackson-databind/issues/1737https://github.com/FasterXML/jackson-databind/issues/1680https://www.debian.org/security/2017/dsa-4037https://security.netapp.com/advisory/ntap-20171214-0003/https://access.redhat.com/errata/RHSA-2017:3190https://access.redhat.com/errata/RHSA-2017:3189http://www.securitytracker.com/id/1039769https://access.redhat.com/errata/RHSA-2018:0342https://access.redhat.com/errata/RHSA-2018:0481https://access.redhat.com/errata/RHSA-2018:0480https://access.redhat.com/errata/RHSA-2018:0479https://access.redhat.com/errata/RHSA-2018:0478https://access.redhat.com/errata/RHSA-2018:0577https://access.redhat.com/errata/RHSA-2018:0576http://www.securityfocus.com/bid/103880http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttps://access.redhat.com/errata/RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1447http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttps://access.redhat.com/errata/RHSA-2018:2927https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://access.redhat.com/errata/RHSA-2019:2858https://access.redhat.com/errata/RHSA-2019:3149https://access.redhat.com/errata/RHSA-2019:3892https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3Ehttps://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2019:1782https://github.com/surajbabar/dependency-demo-apphttps://access.redhat.com/security/cve/cve-2017-15095
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook