637684 – (CVE-2017-7525) dev-java/ jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper

Bug 637684 (CVE-2017-7525) - dev-java/ jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper

Summary: dev-java/ jackson-databind: Deserialization vulnerability via readValue metho...

Status:	RESOLVED OBSOLETE

Alias:	CVE-2017-7525

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/FasterXML/jackson-...
Whiteboard:	~2 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2017-11-16 14:59 UTC by Francis Booth
Modified:	2018-09-08 08:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francis Booth 2017-11-16 14:59:30 UTC

A deserialization flaw in jackson-databind was found allowing code execution when given maliocusly crafted input to readValue method of ObjectMapper.



~ eleix (Security Padawan)

Comment 1 D'juan McDonald (domhnall) 2018-09-08 01:09:53 UTC

Fixed in version(s) >=2.8.10, 2.9.1

https://github.com/FasterXML/jackson-databind/issues/1847

Comment 2 D'juan McDonald (domhnall) 2018-09-08 02:54:18 UTC

Superseded by: bug 648952