Russian Vulnerability Scanner Database

Back to List

BDU:2021-01382

Scores

EPSS

0.000none0.0%
0%20%40%60%80%100%

Percentile: 0.0%

CVSS

9.8critical3.x
0246810

CVSS Score: 9.8/10

All CVSS Scores

CVSS 3.x
9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0
7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

Уязвимость метода readValue класса ObjectMapper библиотеки Jackson-databind связана с некорректной проверкой входных данных до попытки их десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.
Learn more about Scaner-VS 7

Sources

bdu

Related Vulnerabilities

CVE-2017-17485

Exploits

Exploit ID: CVE-2017-17485

Source: github-poc

URL: https://github.com/Al1ex/CVE-2017-17485

Reference Links

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17485
https://nvd.nist.gov/vuln/detail/CVE-2017-17485
https://security-tracker.debian.org/tracker/CVE-2017-17485
https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
https://github.com/FasterXML/jackson-databind/issues/1855
https://access.redhat.com/errata/RHSA-2018:0116
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2930
https://access.redhat.com/errata/RHSA-2019:1782
https://access.redhat.com/errata/RHSA-2019:1797
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/security/cve/CVE-2017-17485
https://github.com/FasterXML/jackson-databind/issues/1855
https://github.com/irsl/jackson-rce-via-spel/

Recommendations

Source: bdu

Использование рекомендаций:
Для Jackson-databind:
Обновление программного обеспечения до 2.12.1-1 или более поздней версии

Для Debian:
Обновление программного обеспечения (пакета jackson-databind) до 2.9.8-3+deb10u1 или более поздней версии

Для Astra Linux:
Обновление программного обеспечения (пакета jackson-databind) до 2.9.8-3+deb10u1 или более поздней версии

Для программных продуктов Red Hat Inc.:
https://access.redhat.com/errata/RHSA-2018:0116
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2930
https://access.redhat.com/errata/RHSA-2019:1782
https://access.redhat.com/errata/RHSA-2019:1797
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892

URL: https://bdu.fstec.ru/vul/2021-01382

Vulnerable Software (45)

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 9

Trait: 
{  "version_end_excluding": "2.7.9.2",  "version_start_including": "2.7.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 9

Trait: 
{  "version_end_excluding": "2.8.11",  "version_start_including": "2.8.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 9

Trait: 
{  "version_end_excluding": "2.9.4",  "version_start_including": "2.9.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 9

Trait: 
{  "version_end_excluding": "2.6.7.3",  "version_start_including": "2.6.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: astra 2.12

Trait: 
{  "version_end_excluding": "2.7.9.2",  "version_start_including": "2.7.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: astra 2.12

Trait: 
{  "version_end_excluding": "2.8.11",  "version_start_including": "2.8.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: astra 2.12

Trait: 
{  "version_end_excluding": "2.9.4",  "version_start_including": "2.9.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: astra 2.12

Trait: 
{  "version_end_excluding": "2.6.7.3",  "version_start_including": "2.6.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 10

Trait: 
{  "version_end_excluding": "2.7.9.2",  "version_start_including": "2.7.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 10

Trait: 
{  "version_end_excluding": "2.8.11",  "version_start_including": "2.8.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 10

Trait: 
{  "version_end_excluding": "2.9.4",  "version_start_including": "2.9.0"}

Source: bdu

Type: Configuration

Vendor: fasterxml, llc

Product: jackson-databind

Operating System: debian gnu/linux 10

Trait: 
{  "version_end_excluding": "2.6.7.3",  "version_start_including": "2.6.0"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "6.4 for RHEL 6"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "6.4"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "7"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "7.1 for RHEL 6"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "6"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: debian gnu/linux 9

Trait: 
{  "version_exact": "6.4 for RHEL 5"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: astra 2.12

Trait: 
{  "version_exact": "6.4 for RHEL 6"}

Source: bdu

Type: Configuration

Vendor: red hat inc.

Product: jboss enterprise application platform

Operating System: astra 2.12

Trait: 
{  "version_exact": "6.4"}

Source: bdu