## Vulnerability Key Information - **CVE ID**: CVE-2017-7525 - **Component**: jackson-databind - **Version**: 3.11.4 and other versions (specifically: prior to 2.6.7.1, prior to 2.7.9.1, and prior to 2.8.9) - **Vulnerability Type**: Remote Code Execution (RCE) - **CVSS Score**: 7.5 (CVSS 2.0), 8.5 (Sonatype CVSS 3) - **CWE ID**: CWE-502 - **Source**: National Vulnerability Database - **Category**: Data ### Detailed Description - **Vulnerability Description**: A deserialization vulnerability was discovered in jackson-databind, allowing unauthenticated users to execute arbitrary code by sending maliciously crafted input to the ObjectMapper's readValue method. - **Root Cause**: The createBeanDeserializer[] function in the BeanDeserializerFactory class permits deserialization of untrusted Java objects, which can be exploited by remote attackers by uploading malicious serialized objects, leading to RCE. ### Detection and Mitigation - **Detection Method**: Applications using this component with default typing enabled are vulnerable. If this component is used as part of Spring Security and the Spring Security version is 4.2.3.RELEASE or higher (for 4.x) or 5.0.0.M2 or higher (for 5.x), it is not affected. - **Recommended Fix**: Upgrade to version 2.10.0 or higher, or disable default typing configuration. ### Additional Information - **Root Cause File**: apache-cassandra-3.11.4-bin.tar.gz - **Occurrence Path**: ["apache-cassandra.zip"; "apache-cassandra.zip"] - **Vulnerability URL**: [CVE-2017-7525](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525) - **Remediation Advice**: This component does not have a non-vulnerable version; contact the vendor for a fix.