A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian
OSDebian8.09.0Fasterxml Jackson Databind
APPFasterxml2.9.0< 2.6.7.12.7.0 – 2.7.9.1 (bez)2.8.0 – 2.8.9 (bez)Netapp Oncommand Balance
APPNetappwszystkie wersjeNetapp Oncommand Performance Manager
APPNetappwszystkie wersjeNetapp Oncommand Shift
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeOracle Banking Platform
APPOracle2.5.02.6.02.6.12.6.2Oracle Communications Billing And Revenue Management
APPOracle12.07.5Oracle Communications Communications Policy Management
APPOracle12.0 – 12.5.2Oracle Communications Diameter Signaling Route
APPOracle< 8.3Oracle Communications Instant Messaging Server
APPOracle10.0.110.0.1.2.0Oracle Enterprise Manager For Virtualization
APPOracle13.2.213.2.313.3.1Oracle Financial Services Analytical Applications Infrastructure
APPOracle8.0.2.0.08.0.3.0.08.0.4.0.08.0.5.0.08.0.6.0.08.0.7.0.0Oracle Global Lifecycle Management Opatchauto
APPOracle< 12.2.0.1.14Oracle Primavera Unifier
APPOracle16.116.218.817.1 – 17.12Oracle Utilities Advanced Spatial And Operational Analytics
APPOracle2.7.0.1Oracle Webcenter Portal
APPOracle12.2.1.3.0Red Hat Enterprise Linux Server
OSRedhat5.06.07.0Red Hat Jboss Enterprise Application Platform
APPRedhat6.0.06.4.07.07.1Red Hat OpenShift Container Platform
APPRedhat3.114.1Red Hat Virtualization
APPRedhat4.0Red Hat Virtualization Host
APPRedhat4.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
References
Related vulnerabilities
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki