CVE-2021-46877

CWE-770 — Allocation without Limits CWE-400 — Uncontrolled Resource Consumption9 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 47.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind

Timeline

PublishedMar 18

Latest updateNov 21

Description

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDfasterxml/jackson-databind2.10.0 — 2.12.6+1

▶Mavencom.fasterxml.jackson.core:jackson-databind2.10.0 — 2.12.6+1

▶Debianjackson-databind< 2.13.2.2-1+2

🔴Vulnerability Details

OSV

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode↗2023-03-19

▶

GHSA

jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode↗2023-03-19

▶

CVEList

CVE-2021-46877: jackson-databind 2↗2023-03-18

▶

OSV

CVE-2021-46877: jackson-databind 2↗2023-03-18

▶

📋Vendor Advisories

Atlassian

CVE-2021-46877: DoS (Denial of Service) jackson-databind in Jira Software Data Center and Server↗2023-11-21

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: 10g - Users, roles, credentials, security (jackson-databind) — CVE-2021-46877↗2023-07-15

▶

Red Hat

jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode↗2023-03-19

▶

Debian

CVE-2021-46877: jackson-databind - jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 al...↗2021

▶