CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
fasterxmljackson-databind
𝑥
< 2.12.6.1
fasterxmljackson-databind
2.13.0 ≤
𝑥
< 2.13.2.1
oraclebig_data_spatial_and_graph
𝑥
< 23.1
oraclecoherence
14.1.1.0.0
oraclecommerce_platform
11.3.0
oraclecommerce_platform
11.3.1
oraclecommerce_platform
11.3.2
oraclecommunications_billing_and_revenue_management
12.0.0.4.0 ≤
𝑥
≤ 12.0.0.6.0
oraclecommunications_cloud_native_core_binding_support_function
22.1.3
oraclecommunications_cloud_native_core_console
1.9.0
oraclecommunications_cloud_native_core_network_repository_function
22.1.2
oraclecommunications_cloud_native_core_network_repository_function
22.2.0
oraclecommunications_cloud_native_core_network_slice_selection_function
22.1.0
oraclecommunications_cloud_native_core_network_slice_selection_function
22.1.1
oraclecommunications_cloud_native_core_security_edge_protection_proxy
22.1.1
oraclecommunications_cloud_native_core_service_communication_proxy
22.2.0
oraclecommunications_cloud_native_core_unified_data_repository
22.2.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.7 ≤
𝑥
≤ 8.1.0.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.1.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.2.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.2.1
oraclefinancial_services_behavior_detection_platform
8.1.1.0 ≤
𝑥
≤ 8.1.2.1
oraclefinancial_services_behavior_detection_platform
8.0.7.0.0
oraclefinancial_services_behavior_detection_platform
8.0.8
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclefinancial_services_enterprise_case_management
8.1.1.0 ≤
𝑥
≤ 8.1.2.1
oraclefinancial_services_enterprise_case_management
8.0.7.1
oraclefinancial_services_enterprise_case_management
8.0.7.2
oraclefinancial_services_enterprise_case_management
8.0.8.0
oraclefinancial_services_enterprise_case_management
8.0.8.1
oraclefinancial_services_trade-based_anti_money_laundering
8.0.7
oraclefinancial_services_trade-based_anti_money_laundering
8.0.8
oracleglobal_lifecycle_management_nextgen_oui_framework
𝑥
< 13.9.4.2.2
oracleglobal_lifecycle_management_nextgen_oui_framework
13.9.4.2.2
oracleglobal_lifecycle_management_opatch
𝑥
< 12.2.0.1.30
oraclegraph_server_and_client
𝑥
< 22.2.0
oraclehealth_sciences_empirica_signal
9.1.0.5.2
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.14
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.13
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.18
oracleprimavera_gateway
21.12.0 ≤
𝑥
≤ 21.12.1
oracleprimavera_p6_enterprise_project_portfolio_management
17.12.0.0 ≤
𝑥
≤ 17.12.20.4
oracleprimavera_p6_enterprise_project_portfolio_management
18.8.0.0 ≤
𝑥
≤ 18.8.25.4
oracleprimavera_p6_enterprise_project_portfolio_management
19.12.0 ≤
𝑥
≤ 19.12.19.0
oracleprimavera_p6_enterprise_project_portfolio_management
20.12.0.0 ≤
𝑥
≤ 21.12.4.0
oracleprimavera_unifier
17.0 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
18.0
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleprimavera_unifier
21.12
oracleretail_sales_audit
15.0.3.1
oraclesd-wan_edge
9.0
oraclesd-wan_edge
9.1
oraclespatial_studio
𝑥
< 20.1.0
oracleutilities_framework
4.3.0.5.0
oracleutilities_framework
4.3.0.6.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
oracleutilities_framework
4.4.0.3.0
oracleutilities_framework
4.4.0.5.0
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappcloud_insights_acquisition_unit
-
netapponcommand_insight
-
netapponcommand_workflow_automation
-
netappsnap_creator_framework
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bullseye (security)
2.12.1-1+deb11u1
fixed
bullseye
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
bookworm
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://github.com/FasterXML/jackson-databind/issues/2816
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.netapp.com/advisory/ntap-20220506-0004/
https://www.debian.org/security/2022/dsa-5283
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/FasterXML/jackson-databind/issues/2816
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
https://security.netapp.com/advisory/ntap-20220506-0004/
https://www.debian.org/security/2022/dsa-5283
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html