CVE-2020-36518 — Out-of-bounds Write in Jackson-databind

CWE-787 — Out-of-bounds Write CWE-400 — Uncontrolled Resource Consumption15 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 33.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind Oracle BIG Data Spatial AND Graph Oracle Global Lifecycle Management Nextgen OUI Framework +28 more

Timeline

PublishedMar 11

Latest updateNov 21

Description

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages31 packages

▶NVDfasterxml/jackson-databind2.13.0 — 2.13.2.1+1

▶Debianfasterxml/jackson-databind< 2.12.1-1+deb11u1+3

▶NVDoracle/financial_services_enterprise_case_management8.1.1.0 — 8.1.2.1+4

▶NVDoracle/financial_services_behavior_detection_platform8.1.1.0 — 8.1.2.1+2

▶NVDoracle/financial_services_analytical_applications_infrastructure8.0.7 — 8.1.0.0+3

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

GHSA

Deeply nested json in jackson-databind↗2022-03-12

▶

OSV

Deeply nested json in jackson-databind↗2022-03-12

▶

OSV

CVE-2020-36518: jackson-databind before 2↗2022-03-11

▶

CVEList

CVE-2020-36518: jackson-databind before 2↗2022-03-11

▶

📋Vendor Advisories

Atlassian

CVE-2020-36518: DoS (Denial of Service) com.fasterxml.jackson.core in Jira Software Data Center and Server↗2023-11-21

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Event Management (jackson-databind) — CVE-2020-36518↗2023-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (jackson-databind) — CVE-2020-36518↗2023-07-15

▶

Oracle

Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (jackson-databind) — CVE-2020-36518↗2023-04-15

▶

Oracle

Oracle Oracle GoldenGate Risk Matrix: GoldenGate Stream Analytics (jackson-databind) — CVE-2020-36518↗2023-01-15

▶