Is CVE-2017-15095 actively exploited?

CVE-2017-15095 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2017-15095?

CVE-2017-15095 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2017-15095?

Patch guidance is available from fasterxml security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2017-15095.

Fix CVE-2017-15095 - CRITICAL fasterxml jackson-databind

Q: Which products are affected by CVE-2017-15095?

52 products: fasterxml jackson-databind, fasterxml jackson-databind, fasterxml jackson-databind, fasterxml jackson-databind, fasterxml jackson-databind, and 47 more.

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-184 CWE-502 · Insecure Deserialization

Metadata

Primary Vendor: FASTERXML
Published: 2/6/2018
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

fasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databindfasterxml : jackson-databinddebian : debian_linuxdebian : debian_linuxredhat : openshift_container_platformredhat : satelliteredhat : satellite_capsuleredhat : openshift_container_platformredhat : jboss_enterprise_application_platformredhat : jboss_enterprise_application_platformredhat : jboss_enterprise_application_platformnetapp : oncommand_balancenetapp : oncommand_performance_managernetapp : oncommand_performance_managernetapp : oncommand_shiftnetapp : snapcenteroracle : banking_platformoracle : banking_platformoracle : banking_platformoracle : banking_platformoracle : clusterwareoracle : communications_billing_and_revenue_managementoracle : communications_billing_and_revenue_managementoracle : communications_diameter_signaling_routeroracle : communications_instant_messaging_serveroracle : database_serveroracle : database_serveroracle : enterprise_manager_for_virtualizationoracle : enterprise_manager_for_virtualizationoracle : enterprise_manager_for_virtualizationoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : financial_services_analytical_applications_infrastructureoracle : global_lifecycle_management_opatchautooracle : identity_manageroracle : identity_manageroracle : jd_edwards_enterpriseone_toolsoracle : primavera_unifieroracle : primavera_unifieroracle : primavera_unifieroracle : primavera_unifieroracle : utilities_advanced_spatial_and_operational_analyticsoracle : webcenter_portal

Remediation Guidance

Executive Summary

View on NIST NVD