CVE-2020-36518: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

76 ranges· showing 25

Vendor	Product	Version range	Fixed in
atlassian	jira_software	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	jackson-databind	< jackson-databind 2.13.2.2-1 (bookworm)	jackson-databind 2.13.2.2-1 (bookworm)
fasterxml	jackson-databind	< 2.12.6.1	2.12.6.1
fasterxml	jackson-databind	>= 0 < 2.12.1-1+deb11u1	2.12.1-1+deb11u1
fasterxml	jackson-databind	>= 0 < 2.13.2.2-1	2.13.2.2-1
fasterxml	jackson-databind	>= 0 < 2.13.2.2-1	2.13.2.2-1
fasterxml	jackson-databind	>= 0 < 2.13.2.2-1	2.13.2.2-1
fasterxml	jackson-databind	>= 2.13.0 < 2.13.2.1	2.13.2.1
oracle	big_data_spatial_and_graph	< 23.1	23.1
oracle	coherence	—	—
oracle	commerce_platform	—	—
oracle	commerce_platform	—	—
oracle	commerce_platform	—	—
oracle	communications_billing_and_revenue_management	12.0.0.4.0 – 12.0.0.6.0	—
oracle	communications_cloud_native_core_binding_support_function	—	—
oracle	communications_cloud_native_core_console	—	—
oracle	communications_cloud_native_core_network_repository_function	—	—
oracle	communications_cloud_native_core_network_repository_function	—	—
oracle	communications_cloud_native_core_network_slice_selection_function	—	—
oracle	communications_cloud_native_core_network_slice_selection_function	—	—
oracle	communications_cloud_native_core_security_edge_protection_proxy	—	—
oracle	communications_cloud_native_core_service_communication_proxy	—	—

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

ghsa7.5HIGH

osv7.5HIGH