Description
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Remediation
References
Related Vulnerabilities
WordPress Plugin LearnPress-WordPress LMS Security Bypass (3.2.6.6)
WebLogic CVE-2021-2018 Vulnerability (CVE-2021-2018)
Oracle Application Server CVE-2008-2593 Vulnerability (CVE-2008-2593)
WordPress Plugin WP EasyPay-Square for WordPress Cross-Site Request Forgery (3.2.0)
Drupal Core 4.7.x Form Action Attribute Injection (4.7.0 - 4.7.3)