CVE-2017-7525: Deserialization of Untrusted Data
(updated )
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue
method of the ObjectMapper
.
References
- www.securityfocus.com/bid/99623
- www.securitytracker.com/id/1039744
- www.securitytracker.com/id/1039947
- www.securitytracker.com/id/1040360
- bugzilla.redhat.com/show_bug.cgi?id=1462702
- github.com/FasterXML/jackson-databind/issues/1599
- github.com/FasterXML/jackson-databind/issues/1723
- github.com/FasterXML/jackson-databind/issues/1737
- nvd.nist.gov/vuln/detail/CVE-2017-7525
- www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Detect and mitigate CVE-2017-7525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →