Miggo Logo
Miggo Vulnerability Database
CVE-2017-15095

CVE-2017-15095: jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-15095
GHSA ID
GHSA-h592-38cm-4ggp
EPSS Score
0.91267%
CWE
CWE-184
Published
10/18/2018
Updated
3/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.jackson.core:jackson-databindmaven>= 2.9.0, < 2.9.42.9.4
com.fasterxml.jackson.core:jackson-databindmaven>= 2.8.0, < 2.8.112.8.11
com.fasterxml.jackson.core:jackson-databindmaven>= 2.0.0, < 2.6.7.32.6.7.3
com.fasterxml.jackson.core:jackson-databindmaven>= 2.7.0, < 2.7.9.22.7.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches provided modify the deserialization process to blacklist certain classes, indicating that the readValue method is vulnerable to deserialization attacks. The BeanDeserializerFactory class is also involved in the deserialization process and is responsible for checking if a class is allowed to be deserialized.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

j**kson-**t**in* in v*rsions prior to *.*.** *n* *.*.* *ont*in * **s*ri*liz*tion *l*w w*i** *llows *n un*ut**nti**t** us*r to p*r*orm *o** *x**ution *y s*n*in* m*li*iously *r**t** input to t** r***V*lu* m*t*o* o* t** O*j**tM*pp*r. T*is issu* *xt*n*s

Reasoning

T** p*t***s provi*** mo*i*y t** **s*ri*liz*tion pro**ss to *l**klist **rt*in *l*ss*s, in*i**tin* t**t t** `r***V*lu*` m*t*o* is vuln*r**l* to **s*ri*liz*tion *tt**ks. T** `***n**s*ri*liz*r***tory` *l*ss is *lso involv** in t** **s*ri*liz*tion pro**ss