CVE-2017-7525
jackson-databind - security update
9.8
CRITICAL
CVSS 3.1
EPSS 82.4%
Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
How to fix CVE-2017-7525
To remediate CVE-2017-7525, upgrade the affected package to a fixed version below.
- Debian/jackson-databind—upgrade to 2.9.1-1 or later
- —upgrade to 2.4.2-2+deb8u1 or later
- —upgrade to 1.9.13-2 or later
- —upgrade to 2.6.7.1 or later
Is CVE-2017-7525 being exploited?
Likely — EPSS is 82.4%, placing CVE-2017-7525 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 2.9.1-1
- from 0, < 2.4.2-2+deb8u1
- from 0, < 1.9.13-2
- from 0, < 2.6.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |