CVE-2017-15095 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-15095 Interim 1 21 2023-03-12T02:13:48Z current 2021-05-30T14:02:50Z 2023-03-12T02:13:48Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-15095 A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/kb/doc/?id=7023098 E-Mail link for TID7023098 https://www.suse.com/support/kb/doc/?id=7023117 E-Mail link for TID7023117 https://www.suse.com/support/security/rating/ SUSE Security Ratings A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CVE-2017-15095 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H