VDB

CVE-2017-15095

CVE-2017-15095 PUBLISHED

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

EPSS 7.89% · 92.2th percentile

Risk Scores

EPSS Score
7.89%
92.2th percentile

Affected Products

VendorProductVersions
Ubuntu:20.04:LTSlibjackson-json-java0, 1.9.13-1
Ubuntu:Pro:16.04:LTSjackson-databind2.4.2-2, 2.4.2-3, 0
Ubuntu:Pro:14.04:LTSjackson-databind2.2.2-1, 0
Ubuntu:Pro:14.04:LTSlibjackson-json-java1.9.2-3, 1.9.2-1, 1.9.2-2
Ubuntu:18.04:LTSlibjackson-json-java0, 1.9.2-9, *
Ubuntu:16.04:LTSlibjackson-json-java0, 1.9.2-5, 1.9.2-7

Exploit Intelligence

Timeline

  • Feb 6, 2018 CVE Published
  • Sep 27, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Nov 3, 2022 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Nov 8, 2023 EPSS Score
  • Jul 9, 2024 EPSS Score
  • Aug 10, 2024 EPSS Score
  • Sep 17, 2024 EPSS Score
  • Feb 18, 2025 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 26, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›