CVE-2023-35116
published 2023-06-14CVE-2023-35116: jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies…
PriorityP415medium4.7CVSS 3.1
AVLACHPRLUINSUCNINAH
EPSS
0.35%
27.1th percentile
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fasterxml | jackson-databind | < 2.16.0 | 2.16.0 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
osv4.7MEDIUM
vendor_oracle4.7MEDIUM
vendor_redhat4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-35116: ** DISPUTED ** jackson-databind through 2
osv·2023-06-14·CVSS 4.7
CVE-2023-35116 [MEDIUM] CVE-2023-35116: ** DISPUTED ** jackson-databind through 2
** DISPUTED ** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
GHSA
GHSA-gx6w-fqg7-mc3p: An issue was discovered jackson-databind thru 2
ghsa_unreviewed·2023-06-14
CVE-2023-35116 CWE-502 GHSA-gx6w-fqg7-mc3p: An issue was discovered jackson-databind thru 2
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent (jackson-databind) — CVE-2023-35116
vendor_oracle·2024-10-15·CVSS 4.7
CVE-2023-35116 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent (jackson-databind) — CVE-2023-35116
Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent (jackson-databind) vulnerability
CVE: CVE-2023-35116
CVSS: 4.7
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuoct2024 (OCT 2024)
Oracle
Oracle Oracle Communications Applications Risk Matrix: REST Services Manager (jackson-databind) — CVE-2023-35116
vendor_oracle·2024-07-15·CVSS 4.7
CVE-2023-35116 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: REST Services Manager (jackson-databind) — CVE-2023-35116
Oracle Oracle Communications Applications Risk Matrix: REST Services Manager (jackson-databind) vulnerability
CVE: CVE-2023-35116
CVSS: 4.7
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (jackson-databind) — CVE-2023-35116
vendor_oracle·2024-04-15·CVSS 4.7
CVE-2023-35116 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Third Party (jackson-databind) — CVE-2023-35116
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (jackson-databind) vulnerability
CVE: CVE-2023-35116
CVSS: 4.7
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Database Fleet Patching and Provisioning (jackson-databind) — CVE-2023-35116
vendor_oracle·2023-10-15·CVSS 3.1
CVE-2023-35116 [MEDIUM] Oracle Oracle Database Server Risk Matrix: Oracle Database Fleet Patching and Provisioning (jackson-databind) — CVE-2023-35116
Oracle Oracle Database Server Risk Matrix: Oracle Database Fleet Patching and Provisioning (jackson-databind) vulnerability
CVE: CVE-2023-35116
CVSS: 3.1
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Red Hat
jackson-databind: denial of service via cylic dependencies
vendor_redhat·2023-06-14·CVSS 4.7
CVE-2023-35116 [MEDIUM] CWE-770 jackson-databind: denial of service via cylic dependencies
jackson-databind: denial of service via cylic dependencies
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Statement: This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.
Mitigation: jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.
Package: j
No detection rules found.
No public exploits indexed.
2023-06-14
Published