A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian
OSDebian8.09.0Fasterxml Jackson Databind
APPFasterxml2.9.02.0.0 – 2.6.7.2 (bez)2.7.0 – 2.7.9.2 (bez)2.8.0 – 2.8.10 (bez)Netapp Oncommand Balance
APPNetappwszystkie wersjeNetapp Oncommand Performance Manager
APPNetappwszystkie wersjeNetapp Oncommand Shift
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeOracle Banking Platform
APPOracle2.5.02.6.02.6.12.6.2Oracle Clusterware
APPOracle12.1.0.2.0Oracle Communications Billing And Revenue Management
APPOracle12.07.5Oracle Communications Diameter Signaling Router
APPOracle< 8.3Oracle Communications Instant Messaging Server
APPOracle10.0.1.2.0Oracle Database Server
APPOracle12.2.0.118.1Oracle Enterprise Manager For Virtualization
APPOracle13.2.213.2.313.3.1Oracle Financial Services Analytical Applications Infrastructure
APPOracle8.0.28.0.38.0.48.0.58.0.68.0.7Oracle Global Lifecycle Management Opatchauto
APPOracle< 12.2.0.1.14Oracle Identity Manager
APPOracle11.1.2.3.012.2.1.3.0Oracle Jd Edwards Enterpriseone Tools
APPOracle9.2Oracle Primavera Unifier
APPOracle16.116.218.817.1 – 17.12Oracle Utilities Advanced Spatial And Operational Analytics
APPOracle2.7.0.1Oracle Webcenter Portal
APPOracle12.2.1.3.0Red Hat Enterprise Linux
OSRedhat5.06.07.0Red Hat Jboss Enterprise Application Platform
APPRedhat6.0.06.4.07.1.0Red Hat OpenShift Container Platform
APPRedhat3.114.1Red Hat Satellite
APPRedhat6.4Red Hat Satellite Capsule
APPRedhat6.4
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCEDeserialization
Referencje
Powiązane podatności
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-61757CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)