FasterXML jackson-databind up to and including 2.8.11 and 2.9.x up to and including 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
fasterxml jackson-databind |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
redhat openshift_container_platform 4.1 |
||
redhat virtualization 4.0 |
||
redhat virtualization_host 4.0 |
||
redhat jboss_enterprise_application_platform 7.1 |
||
redhat openshift container platform 3.11 |
||
netapp e-series santricity web services proxy - |
||
netapp e-series santricity os controller |
||
netapp oncommand shift - |