CVE-2023-35116

CWE-770 — Allocation without Limits CWE-502 — Deserialization of Untrusted Data9 documents6 sources

Severity

4.7MEDIUM

EPSS

0.0%

top 96.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fasterxml Jackson-databind

Timeline

PublishedJun 14

Latest updateOct 15

Description

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages1 packages

▶NVDfasterxml/jackson-databind< 2.16.0

🔴Vulnerability Details

OSV

CVE-2023-35116: ** DISPUTED ** jackson-databind through 2↗2023-06-14

▶

GHSA

GHSA-gx6w-fqg7-mc3p: An issue was discovered jackson-databind thru 2↗2023-06-14

▶

CVEList

CVE-2023-35116: jackson-databind through 2↗2023-06-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent (jackson-databind) — CVE-2023-35116↗2024-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: REST Services Manager (jackson-databind) — CVE-2023-35116↗2024-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (jackson-databind) — CVE-2023-35116↗2024-04-15

▶

Oracle

Oracle Oracle Database Server Risk Matrix: Oracle Database Fleet Patching and Provisioning (jackson-databind) — CVE-2023-35116↗2023-10-15

▶

Red Hat

jackson-databind: denial of service via cylic dependencies↗2023-06-14

▶