Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675682 (CVE-2017-15095, CVE-2017-17485) - dev-java/jackson-databind: multiple vulnerabilities
Summary: dev-java/jackson-databind: multiple vulnerabilities
Alias: CVE-2017-15095, CVE-2017-17485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2019-05-12
Assignee: Gentoo Security
Whiteboard: ~2 [upstream/ebuild]
Keywords: PMASKED
Depends on:
Blocks: CVE-2018-7489 CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 CVE-2018-12022, CVE-2018-12023
  Show dependency tree
Reported: 2019-01-17 10:36 UTC by D'juan McDonald (domhnall)
Modified: 2019-11-01 21:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-01-17 10:36:59 UTC

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

    Affected Versions:
Jackson-databind version <= 2.9.3

Jackson-databind version <=

Jackson-databind version <= 2.8.10

    Unaffected Versions:
Jackson-databind version

Jackson-databind version

Jackson-databind version 2.8.11

@maintainer(s): "Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code"

Gentoo-Security Padawan
Comment 1 D'juan McDonald (domhnall) 2019-01-17 11:57:53 UTC
How to check:

1. get source file
2. jackson-databind is included in pom.xml
3. grep for "<artifactId>jackson-databind</artifactId>" and version is affected listed in Affection section.

4.check whether the `enableDefaultTyping` method is called in the code.

If yes for 2,3,4... package is affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-04-13 03:22:42 UTC
The bug has been referenced in the following commit(s):

commit ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92
Author:     Aaron Bauman <>
AuthorDate: 2019-04-13 03:21:11 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-04-13 03:22:33 +0000

    profiles/package.mask: add dev-java/jackson-databind
    * Multiple security vulnerabilities
    * No revbump in several years
    Signed-off-by: Aaron Bauman <>

 profiles/package.mask | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 3 Patrice Clement gentoo-dev 2019-05-12 08:43:25 UTC
Package removed from the Portage tree.