CVE-2017-7525
critical-risk
Published 2018-02-06
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Do I need to act?
!
79.3% chance of exploitation in next 30 days
EPSS score — higher than 21% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: f7abd682a7b2f8145ecff1c4e205073949f1e623, 8419c81fad9c7b884b6a02de7b5f1ce5700cbf32, c45ed8c4cbf6c29317bf4cf562558884fa698eec
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
References (120)
Third Party Advisory
http://www.securityfocus.com/bid/99623
Third Party Advisory
http://www.securitytracker.com/id/1039744
Third Party Advisory
http://www.securitytracker.com/id/1039947
Third Party Advisory
http://www.securitytracker.com/id/1040360
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1834
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1835
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1836
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1837
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1839
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1840
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2477
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2546
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2547
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2633
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2635
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2636
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2637
and 100 more references
77
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
20/34 · Moderate
Exposure
25/34 · High