Critical severity9.8NVD Advisory· Published Feb 6, 2018· Updated Jun 17, 2026
CVE-2017-15095
CVE-2017-15095
Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.8.0, < 2.8.11 | 2.8.11 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.9.0, < 2.9.4 | 2.9.4 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.6.7.3 | 2.6.7.3 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.7.0, < 2.7.9.2 | 2.7.9.2 |
Affected products
2- Range: before 2.8.10
Patches
Vulnerability mechanics
References
44- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdPatchThird Party AdvisoryWEB
- github.com/FasterXML/jackson-databind/issues/1737nvdIssue TrackingPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlnvdPatchThird Party AdvisoryWEB
- www.securityfocus.com/bid/103880nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039769nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3189nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:3190nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0342nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0478nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0479nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0480nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0481nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0576nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0577nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:1447nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:1448nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:1449nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:1450nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:1451nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2927nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:2858nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:3149nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:3892nvdThird Party AdvisoryWEB
- github.com/FasterXML/jackson-databind/issues/1680nvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-h592-38cm-4ggpghsaADVISORY
- lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-15095ghsaADVISORY
- security.netapp.com/advisory/ntap-20171214-0003/nvdThird Party Advisory
- www.debian.org/security/2017/dsa-4037nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlnvdThird Party AdvisoryWEB
- github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1bghsaWEB
- github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9dbghsaWEB
- github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92ghsaWEB
- github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78bghsaWEB
- github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935ghsaWEB
- github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147bghsaWEB
- lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20171214-0003ghsaWEB
- web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880ghsaWEB
- web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769ghsaWEB
- lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3Envd
News mentions
0No linked articles in our index yet.