Critical severityNVD Advisory· Published Feb 6, 2018· Updated Sep 16, 2024

CVE-2017-15095

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.8.0, < 2.8.11	2.8.11
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.9.0, < 2.9.4	2.9.4
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.0.0, < 2.6.7.3	2.6.7.3
com.fasterxml.jackson.core:jackson-databindMaven	>= 2.7.0, < 2.7.9.2	2.7.9.2

Affected products

Fasterxml/Jackson Databindv5
Range: before 2.8.10

Patches

a054585e2175

https://github.com/FasterXML/jackson-databindvia ghsa

commit

a3939d36edcc

https://github.com/FasterXML/jackson-databindvia ghsa

commit

ddfddfba6414

https://github.com/FasterXML/jackson-databindvia ghsa

commit

e865a7a4464d

https://github.com/FasterXML/jackson-databindvia ghsa

commit

e8f043d1aac9

https://github.com/FasterXML/jackson-databindvia ghsa

commit

80566a0f96b2

https://github.com/tolbertam/jackson-databindvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2017:3189ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2017:3190ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0342ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0478ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0479ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0480ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0481ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0576ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:0577ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1447ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1448ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1449ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1450ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:1451ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2018:2927ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:2858ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3149ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3892ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-h592-38cm-4ggpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-15095ghsaADVISORY
www.debian.org/security/2017/dsa-4037ghsavendor-advisoryx_refsource_DEBIANWEB
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlghsax_refsource_CONFIRMWEB
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlghsax_refsource_CONFIRMWEB
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsax_refsource_CONFIRMWEB
www.securityfocus.com/bid/103880mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1039769mitrevdb-entryx_refsource_SECTRACK
github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1bghsaWEB
github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9dbghsaWEB
github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92ghsaWEB
github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78bghsaWEB
github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935ghsaWEB
github.com/FasterXML/jackson-databind/issues/1680ghsax_refsource_CONFIRMWEB
github.com/FasterXML/jackson-databind/issues/1737ghsax_refsource_CONFIRMWEB
github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147bghsaWEB
lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlghsamailing-listx_refsource_MLISTWEB
security.netapp.com/advisory/ntap-20171214-0003ghsaWEB
security.netapp.com/advisory/ntap-20171214-0003/mitrex_refsource_CONFIRM
web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880ghsaWEB
web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769ghsaWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000