Launchpad CVE tracker

CVE 2017-15095

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Related bugs and status

CVE-2017-15095 (Candidate) is related to these bugs:

Bug #1869918: Found an escape character in the closing description tag that corrupts the xml.

Summary				In	Importance	Status
	1869918	Found an escape character in the closing description tag that corrupts the xml.		Ubuntu CVE Tracker	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://github.com/Fas...
CONFIRM: https://github.com/Fas...
CONFIRM: https://security.netap...
DEBIAN: DSA-4037
REDHAT: RHSA-2017:3189
REDHAT: RHSA-2017:3190
SECTRACK: 1039769
REDHAT: RHSA-2018:0342
REDHAT: RHSA-2018:0478
REDHAT: RHSA-2018:0479
REDHAT: RHSA-2018:0480
REDHAT: RHSA-2018:0481
REDHAT: RHSA-2018:0576
REDHAT: RHSA-2018:0577
CONFIRM: http://www.oracle.com/...
BID: 103880
REDHAT: RHSA-2018:1447
REDHAT: RHSA-2018:1448
REDHAT: RHSA-2018:1449
REDHAT: RHSA-2018:1450
REDHAT: RHSA-2018:1451
CONFIRM: http://www.oracle.com/...
CONFIRM: http://www.oracle.com/...
REDHAT: RHSA-2018:2927
CONFIRM: https://www.oracle.com...
MISC: https://www.oracle.com...
REDHAT: RHSA-2019:2858
REDHAT: RHSA-2019:3149
REDHAT: RHSA-2019:3892
MLIST: [lucene-solr-user] 201...
MLIST: [debian-lts-announce] ...
MISC: https://www.oracle.com...

Launchpad.net

CVE 2017-15095

Related bugs and status

Related bugs

References