CVE-2017-17485: Deserialization of Untrusted Data
(updated )
FasterXML jackson-databind allows unauthenticated remote code execution. This is exploitable by sending maliciously crafted JSON input to the readValue
method of the ObjectMapper
, bypassing a denylist that is ineffective if the Spring libraries are available in the classpath.
References
- www.securityfocus.com/archive/1/541652/100/0/threaded
- www.securityfocus.com/archive/1/archive/1/541652/100/0/threaded
- github.com/FasterXML/jackson-databind/issues/1855
- github.com/irsl/jackson-rce-via-spel/
- nvd.nist.gov/vuln/detail/CVE-2017-17485
- security.netapp.com/advisory/ntap-20180201-0003/
- www.debian.org/security/2018/dsa-4114
Detect and mitigate CVE-2017-17485 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →