### [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525)
![](https://img.shields.io/static/v1?label=Product&message=jackson-databind&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-184&color=brighgreen)

### Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

### POC

#### Reference
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://access.redhat.com/errata/RHSA-2017:1835
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

#### Github
- https://github.com/0xT11/CVE-POC
- https://github.com/ARPSyndicate/cvemon
- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
- https://github.com/BassinD/jackson-RCE
- https://github.com/BrittanyKuhn/javascript-tutorial
- https://github.com/CatalanCabbage/king-of-pop
- https://github.com/CrackerCat/myhktools
- https://github.com/Dannners/jackson-deserialization-2017-7525
- https://github.com/Drun1baby/JavaSecurityLearning
- https://github.com/GhostTroops/myhktools
- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
- https://github.com/GrrrDog/ZeroNights-WebVillage-2017
- https://github.com/Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab
- https://github.com/Jake-Schoellkopf/Insecure-Java-Deserialization
- https://github.com/JavanXD/Demo-Exploit-Jackson-RCE
- https://github.com/Live-Hack-CVE/CVE-2017-15095
- https://github.com/Nazicc/S2-055
- https://github.com/NetW0rK1le3r/awesome-hacking-lists
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/Pear1y/Vuln-Env
- https://github.com/Pear1y/VulnEnv
- https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
- https://github.com/SexyBeast233/SecBooks
- https://github.com/ShiftLeftSecurity/HelloShiftLeft-Scala
- https://github.com/SugarP1g/LearningSecurity
- https://github.com/Threekiii/Awesome-Exploit
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/cedelasen/htb-time
- https://github.com/conikeec/helloshiftleftplay
- https://github.com/do0dl3/myhktools
- https://github.com/dotanuki-labs/android-oss-cves-research
- https://github.com/galimba/Jackson-deserialization-PoC
- https://github.com/hectorgie/PoC-in-GitHub
- https://github.com/hktalent/bug-bounty
- https://github.com/hktalent/myhktools
- https://github.com/ilmari666/cybsec
- https://github.com/ilmila/J2EEScan
- https://github.com/iqrok/myhktools
- https://github.com/irsl/jackson-rce-via-spel
- https://github.com/jaroslawZawila/vulnerable-play
- https://github.com/jault3/jackson-databind-exploit
- https://github.com/klarna/kco_rest_java
- https://github.com/klausware/Java-Deserialization-Cheat-Sheet
- https://github.com/lnick2023/nicenice
- https://github.com/martinzhou2015/writeups
- https://github.com/maxbitcoin/Jackson-CVE-2017-17485
- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet
- https://github.com/mymortal/expcode
- https://github.com/noegythnibin/links
- https://github.com/ongamse/Scala
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/readloud/Awesome-Stars
- https://github.com/ronoski/j2ee-rscan
- https://github.com/rootsecurity/Jackson-CVE-2017-17485
- https://github.com/seal-community/patches
- https://github.com/softrams/cve-risk-scores
- https://github.com/taielab/awesome-hacking-lists
- https://github.com/touchmycrazyredhat/myhktools
- https://github.com/trhacknon/myhktools
- https://github.com/wahyuhadi/spel.xml
- https://github.com/woods-sega/woodswiki
- https://github.com/xbl2022/awesome-hacking-lists
- https://github.com/xbl3/awesome-cve-poc_qazbnm456
- https://github.com/yahoo/cubed
- https://github.com/zema1/oracle-vuln-crawler