Description
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Remediation
References
Related Vulnerabilities
Drupal Core 5.x Cross-Site Request Forgery (5.0 - 5.5)
WordPress Plugin WP Marketplace TimThumb Arbitrary File Upload (1.1.0)
Oracle Database Server CVE-2012-1708 Vulnerability (CVE-2012-1708)
WordPress Plugin Essential Content Types Security Bypass (1.8.6)
ownCloud Improper Authentication Vulnerability (CVE-2014-9043)