CVE-2017-15095

CRITICAL

jackson-databind <2.8.10, 2.9.1 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-15095. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2017-15095, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-15095-jackson-databind-vulnerable

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2017-15095, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.9.0
No auth needed
Prerequisites: Java environment · Jackson Databind 2.9.0 dependency
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-15095-jackson-databind-vulnerable

This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2017-15095, a deserialization vulnerability allowing remote code execution (RCE). The included source code and build configuration provide a functional environment to test the exploit.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.9.0
No auth needed
Prerequisites: Vulnerable Jackson Databind version (2.9.0 or earlier) · Ability to send crafted JSON payloads to a target application using Jackson for deserialization
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (32)

Core 32
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1448
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103880
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0479
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0481
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0577
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0576
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3190
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1451
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3189
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2927
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039769
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0342
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0480
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1447
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0478
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-4037
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3892
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20171214-0003/
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/1737
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/1680

Scores

CVSS v3 9.8
EPSS 0.0770
EPSS Percentile 92.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-184 CWE-502
Status published
Products (45)
com.fasterxml.jackson.core/jackson-databind 2.8.0 - 2.8.11Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind 2.9.0 (5 CPE variants)
fasterxml/jackson-databind 2.0.0 - 2.6.7.2
netapp/oncommand_balance
netapp/oncommand_performance_manager (2 CPE variants)
netapp/oncommand_shift
netapp/snapcenter
oracle/banking_platform 2.5.0
... and 35 more
Published Feb 06, 2018
Tracked Since Feb 18, 2026