CVE-2017-17485 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.6.7.1 #104
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Vulnerable Package issue exists @ Maven-com.fasterxml.jackson.core:jackson-databind-2.6.7.1 in branch main
FasterXML jackson-databind before 2.6.7.3, 2.7.x before 2.7.9.2, 2.8.x before 2.8.11 and 2.9.x before 2.9.4, allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Namespace: scott-cx
Repository: edgemere
Repository Url: https://github.com/scott-cx/edgemere
CxAST-Project: scott-cx/edgemere
CxAST platform scan: 45abb8d9-377e-427c-92f9-26a15742bad7
Branch: main
Application: edgemere
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-502
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.6.7.5
References
Advisory
Issue
Commit
The text was updated successfully, but these errors were encountered: