CVE-2017-7525

Name	CVE-2017-7525
Description	A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2091-1, DLA-2342-1, DSA-4004-1
Debian Bugs	870848

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jackson-databind (PTS)	jessie, jessie (lts)	2.4.2-2+deb8u17	fixed
	stretch (security)	2.8.6-1+deb9u10	fixed
	stretch (lts), stretch	2.8.6-1+deb9u11	fixed
	buster (security), buster, buster (lts)	2.9.8-3+deb10u5	fixed
	bullseye (security), bullseye	2.12.1-1+deb11u1	fixed
	sid, trixie, bookworm	2.14.0-1	fixed
libjackson-json-java (PTS)	jessie, jessie (lts)	1.9.2-3+deb8u1	fixed
	stretch (security), stretch (lts), stretch	1.9.2-8+deb9u1	fixed
	buster	1.9.13-2~deb10u1	fixed
	sid, trixie, bullseye, bookworm	1.9.13-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
jackson-databind	source	jessie	2.4.2-2+deb8u1		DSA-4004-1
jackson-databind	source	stretch	2.8.6-1+deb9u1		DSA-4004-1
jackson-databind	source	(unstable)	2.9.1-1			870848
libjackson-json-java	source	wheezy	(unfixed)	end-of-life
libjackson-json-java	source	jessie	1.9.2-3+deb8u1		DLA-2091-1
libjackson-json-java	source	stretch	1.9.2-8+deb9u1		DLA-2342-1
libjackson-json-java	source	buster	1.9.13-2~deb10u1
libjackson-json-java	source	(unstable)	1.9.13-2

Notes

https://github.com/FasterXML/jackson-databind/issues/1599
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31