Advisories ยป MGASA-2018-0138

Updated jackson-databind packages fix security vulnerability

Publication date: 24 Feb 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-17485 , CVE-2018-5968

Description

A deserialization flaw was discovered in the jackson-databind which could
allow an unauthenticated user to perform code execution by sending
maliciously crafted input to the readValue method of ObjectMapper
(CVE-2017-17485).

A flaw was found in FasterXML jackson-databind which allows unauthenticated
remote code execution due deserialization flaws. This is exploitable via
two different gadgets that bypass a blacklist (CVE-2018-5968).
                

References

SRPMS

6/core