CVE-2017-15095
CRITICALjackson-databind <2.8.10, 2.9.1 - Code Injection
Title source: llmDescription
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-15095-jackson-databind-vulnerable
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-15095-jackson-databind-vulnerable
References (32)
... and 12 more
Scores
CVSS v3
9.8
EPSS
0.0861
EPSS Percentile
92.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-184
CWE-502
Status
published
Products (45)
com.fasterxml.jackson.core/jackson-databind
2.8.0 - 2.8.11Maven
debian/debian_linux
8.0
debian/debian_linux
9.0
fasterxml/jackson-databind
2.9.0 (5 CPE variants)
fasterxml/jackson-databind
2.0.0 - 2.6.7.2
netapp/oncommand_balance
netapp/oncommand_performance_manager
(2 CPE variants)
netapp/oncommand_shift
netapp/snapcenter
oracle/banking_platform
2.5.0
... and 35 more
Published
Feb 06, 2018
Tracked Since
Feb 18, 2026