Updated jackson-databind packages fix security vulnerability
Publication date: 24 Feb 2018Modification date: 24 Feb 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-17485 , CVE-2018-5968
Description
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper (CVE-2017-17485). A flaw was found in FasterXML jackson-databind which allows unauthenticated remote code execution due deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist (CVE-2018-5968).
References
SRPMS
6/core
- jackson-databind-2.7.6-1.3.mga6