CVE-2017-15095 in Oracle Communications Diameter Signaling Routerinfo

Summary

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Once again VulDB remains the best source for vulnerability data.

Reservation

10/08/2017

Disclosure

02/06/2018

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
129471Oracle Communications Diameter Signaling Router jackson-databind deserialization502Not definedOfficial fixCVE-2017-15095
125610Oracle Retail Open Commerce Platform jackson-databind deserialization502Not definedOfficial fixCVE-2017-15095
125529Oracle JD Edwards EnterpriseOne Tools Monitoring/Diagnostics deserialization502Not definedOfficial fixCVE-2017-15095
125528Oracle JD Edwards EnterpriseOne Tools Business Logic Inf deserialization502Not definedOfficial fixCVE-2017-15095
125429Oracle Identity Manager Installer deserialization502Not definedOfficial fixCVE-2017-15095
125380Oracle Communications Instant Messaging Server jackson-databind deserialization502Not definedOfficial fixCVE-2017-15095
121566Oracle Database Spatial deserialization502Not definedOfficial fixCVE-2017-15095
116824Oracle Agile PLM Framework Web Client deserialization502Not definedOfficial fixCVE-2017-15095
116803Oracle Retail Xstore Point of Service Xenvironment deserialization502Not definedOfficial fixCVE-2017-15095
116793Oracle Retail Order Broker System Administration deserialization502Not definedOfficial fixCVE-2017-15095
116730Oracle JD Edwards EnterpriseOne Tools EnterpriseOne Mobility Sec deserialization502Not definedOfficial fixCVE-2017-15095
116685Oracle WebCenter Portal Security deserialization502Not definedOfficial fixCVE-2017-15095
116635Oracle Banking Platform Infrastructure deserialization502Not definedOfficial fixCVE-2017-15095
116634Oracle Banking Enterprise Product Manufacturing Infrastructure deserialization502Not definedOfficial fixCVE-2017-15095
116633Oracle Banking Enterprise Originations Infrastructure deserialization502Not definedOfficial fixCVE-2017-15095
116632Oracle Banking Enterprise Collections Infrastructure deserialization502Not definedOfficial fixCVE-2017-15095
116621Oracle Enterprise Manager for Virtualization Generic Virtualization (jackson-databind) deserialization502Not definedOfficial fixCVE-2017-15095
116602Oracle Primavera Unifier jackson-databind deserialization502Not definedOfficial fixCVE-2017-15095
116595Oracle Communications Contacts Server REST deserialization502Not definedOfficial fixCVE-2017-15095
116594Oracle Communications Calendar Server WCAP deserialization502Not definedOfficial fixCVE-2017-15095
112877jackson-databind readValue deserialization502Not definedOfficial fixCVE-2017-15095

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!