CVE-2017-17485

CRITICAL

Fasterxml Jackson-databind < 2.6.7.3 - Insecure Deserialization

Title source: rule

Description

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Exploits (5)

nomisec WORKING POC 2 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2017-17485
nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-17485-jackson-databind-vulnerable
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-17485-jackson-databind-vulnerable
nomisec NO CODE
by x7iaob · poc
https://github.com/x7iaob/cve-2017-17485
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2017-17485

References (24)

... and 4 more

Scores

CVSS v3 9.8
EPSS 0.8495
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-502
Status published
Products (13)
com.fasterxml.jackson.core/jackson-databind 2.9.0 - 2.9.4Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind < 2.6.7.3
netapp/e-series_santricity_os_controller 11.0.0 - 11.60.3
netapp/e-series_santricity_web_services_proxy
netapp/oncommand_shift
netapp/snapcenter
redhat/jboss_enterprise_application_platform 6.0.0
redhat/jboss_enterprise_application_platform 6.4.0
... and 3 more
Published Jan 10, 2018
Tracked Since Feb 18, 2026