CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2017-15095

CVSS 9.8v3.1pub. 2018-02-06upd. 2024-11-21

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    8.09.0
  • Fasterxml Jackson Databind

    APP
    Fasterxml
    2.9.02.0.0 – 2.6.7.2 (bez)2.7.0 – 2.7.9.2 (bez)2.8.0 – 2.8.10 (bez)
  • Netapp Oncommand Balance

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Performance Manager

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Shift

    APP
    Netapp
    wszystkie wersje
  • Netapp Snapcenter

    APP
    Netapp
    wszystkie wersje
  • Oracle Banking Platform

    APP
    Oracle
    2.5.02.6.02.6.12.6.2
  • Oracle Clusterware

    APP
    Oracle
    12.1.0.2.0
  • Oracle Communications Billing And Revenue Management

    APP
    Oracle
    12.07.5
  • Oracle Communications Diameter Signaling Router

    APP
    Oracle
    < 8.3
  • Oracle Communications Instant Messaging Server

    APP
    Oracle
    10.0.1.2.0
  • Oracle Database Server

    APP
    Oracle
    12.2.0.118.1
  • Oracle Enterprise Manager For Virtualization

    APP
    Oracle
    13.2.213.2.313.3.1
  • Oracle Financial Services Analytical Applications Infrastructure

    APP
    Oracle
    8.0.28.0.38.0.48.0.58.0.68.0.7
  • Oracle Global Lifecycle Management Opatchauto

    APP
    Oracle
    < 12.2.0.1.14
  • Oracle Identity Manager

    APP
    Oracle
    11.1.2.3.012.2.1.3.0
  • Oracle Jd Edwards Enterpriseone Tools

    APP
    Oracle
    9.2
  • Oracle Primavera Unifier

    APP
    Oracle
    16.116.218.817.1 – 17.12
  • Oracle Utilities Advanced Spatial And Operational Analytics

    APP
    Oracle
    2.7.0.1
  • Oracle Webcenter Portal

    APP
    Oracle
    12.2.1.3.0
  • Red Hat Enterprise Linux

    OS
    Redhat
    5.06.07.0
  • Red Hat Jboss Enterprise Application Platform

    APP
    Redhat
    6.0.06.4.07.1.0
  • Red Hat OpenShift Container Platform

    APP
    Redhat
    3.114.1
  • Red Hat Satellite

    APP
    Redhat
    6.4
  • Red Hat Satellite Capsule

    APP
    Redhat
    6.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-61757CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)