FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-02-26T15:00:00
Updated: 2021-03-25T00:06:15
Reserved: 2018-02-26T00:00:00
Link: CVE-2018-7489
JSON object: View
NVD Information
Status : Modified
Published: 2018-02-26T15:29:00.417
Modified: 2023-11-07T03:01:02.513
Link: CVE-2018-7489
JSON object: View
Redhat Information
No data.