RHSA-2018:0116-01 -- Redhat rh-eclipse46-jackson-databindID: oval:org.secpod.oval:def:505067 | Date: (C)2021-01-29 (M)2023-06-15 |
Class: PATCH | Family: unix |
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously. Red Hat would like to thank 0c0c0f from 360 for reporting this issue.
Platform: |
Red Hat Enterprise Linux 7 |
Product: |
rh-eclipse46-jackson-databind |