CVE-2017-7525

NameCVE-2017-7525
DescriptionA deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2091-1, DLA-2342-1, DSA-4004-1
Debian Bugs870848

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)jessie, jessie (lts)2.4.2-2+deb8u17fixed
stretch (security)2.8.6-1+deb9u10fixed
stretch (lts), stretch2.8.6-1+deb9u11fixed
buster2.9.8-3+deb10u3fixed
buster (security)2.9.8-3+deb10u5fixed
bullseye (security), bullseye2.12.1-1+deb11u1fixed
sid, trixie, bookworm2.14.0-1fixed
libjackson-json-java (PTS)jessie, jessie (lts)1.9.2-3+deb8u1fixed
stretch (security), stretch (lts), stretch1.9.2-8+deb9u1fixed
buster1.9.13-2~deb10u1fixed
sid, trixie, bullseye, bookworm1.9.13-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcejessie2.4.2-2+deb8u1DSA-4004-1
jackson-databindsourcestretch2.8.6-1+deb9u1DSA-4004-1
jackson-databindsource(unstable)2.9.1-1870848
libjackson-json-javasourcewheezy(unfixed)end-of-life
libjackson-json-javasourcejessie1.9.2-3+deb8u1DLA-2091-1
libjackson-json-javasourcestretch1.9.2-8+deb9u1DLA-2342-1
libjackson-json-javasourcebuster1.9.13-2~deb10u1
libjackson-json-javasource(unstable)1.9.13-2

Notes

https://github.com/FasterXML/jackson-databind/issues/1599
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31
Search for package or bug name: Reporting problems