CVE-2020-36518

HIGH EPSS 90.9%
Published Mar 11, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 11, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
90.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 77

VendorProductVersionRange
fasterxmljackson-databind* <2.12.6.1
fasterxmljackson-databind*≥2.13.0  –  <2.13.2.1
oraclebig_data_spatial_and_graph* <23.1
oraclecoherence14.1.1.0.0any
oraclecommerce_platform11.3.0any
oraclecommerce_platform11.3.1any
oraclecommerce_platform11.3.2any
oraclecommunications_billing_and_revenue_management*≥12.0.0.4.0  –  ≤12.0.0.6.0
oraclecommunications_cloud_native_core_binding_support_function22.1.3any
oraclecommunications_cloud_native_core_console1.9.0any
oraclecommunications_cloud_native_core_network_repository_function22.1.2any
oraclecommunications_cloud_native_core_network_repository_function22.2.0any
oraclecommunications_cloud_native_core_network_slice_selection_function22.1.0any
oraclecommunications_cloud_native_core_network_slice_selection_function22.1.1any
oraclecommunications_cloud_native_core_security_edge_protection_proxy22.1.1any
oraclecommunications_cloud_native_core_service_communication_proxy22.2.0any
oraclecommunications_cloud_native_core_unified_data_repository22.2.0any
oraclefinancial_services_analytical_applications_infrastructure*≥8.0.7  –  ≤8.1.0.0
oraclefinancial_services_analytical_applications_infrastructure8.1.1.0any
oraclefinancial_services_analytical_applications_infrastructure8.1.2.0any
oraclefinancial_services_analytical_applications_infrastructure8.1.2.1any
oraclefinancial_services_behavior_detection_platform*≥8.1.1.0  –  ≤8.1.2.1
oraclefinancial_services_behavior_detection_platform8.0.7.0.0any
oraclefinancial_services_behavior_detection_platform8.0.8any
oraclefinancial_services_crime_and_compliance_management_studio8.0.8.2.0any
oraclefinancial_services_crime_and_compliance_management_studio8.0.8.3.0any
oraclefinancial_services_enterprise_case_management*≥8.1.1.0  –  ≤8.1.2.1
oraclefinancial_services_enterprise_case_management8.0.7.1any
oraclefinancial_services_enterprise_case_management8.0.7.2any
oraclefinancial_services_enterprise_case_management8.0.8.0any
oraclefinancial_services_enterprise_case_management8.0.8.1any
oraclefinancial_services_trade-based_anti_money_laundering8.0.7any
oraclefinancial_services_trade-based_anti_money_laundering8.0.8any
oracleglobal_lifecycle_management_nextgen_oui_framework* <13.9.4.2.2
oracleglobal_lifecycle_management_nextgen_oui_framework13.9.4.2.2any
oracleglobal_lifecycle_management_opatch* <12.2.0.1.30
oraclegraph_server_and_client* <22.2.0
oraclehealth_sciences_empirica_signal9.1.0.5.2any
oraclepeoplesoft_enterprise_peopletools8.58any
oraclepeoplesoft_enterprise_peopletools8.59any
oracleprimavera_gateway*≥17.12.0  –  ≤17.12.11
oracleprimavera_gateway*≥18.8.0  –  ≤18.8.14
oracleprimavera_gateway*≥19.12.0  –  ≤19.12.13
oracleprimavera_gateway*≥20.12.0  –  ≤20.12.18
oracleprimavera_gateway*≥21.12.0  –  ≤21.12.1
oracleprimavera_p6_enterprise_project_portfolio_management*≥17.12.0.0  –  ≤17.12.20.4
oracleprimavera_p6_enterprise_project_portfolio_management*≥18.8.0.0  –  ≤18.8.25.4
oracleprimavera_p6_enterprise_project_portfolio_management*≥19.12.0  –  ≤19.12.19.0
oracleprimavera_p6_enterprise_project_portfolio_management*≥20.12.0.0  –  ≤21.12.4.0
oracleprimavera_unifier*≥17.0  –  ≤17.12
oracleprimavera_unifier18.0any
oracleprimavera_unifier19.12any
oracleprimavera_unifier20.12any
oracleprimavera_unifier21.12any
oracleretail_sales_audit15.0.3.1any
oraclesd-wan_edge9.0any
oraclesd-wan_edge9.1any
oraclespatial_studio* <20.1.0
oracleutilities_framework4.3.0.5.0any
oracleutilities_framework4.3.0.6.0any
oracleutilities_framework4.4.0.0.0any
oracleutilities_framework4.4.0.2.0any
oracleutilities_framework4.4.0.3.0any
oracleutilities_framework4.4.0.5.0any
oracleweblogic_server12.2.1.3.0any
oracleweblogic_server12.2.1.4.0any
oracleweblogic_server14.1.1.0.0any
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any
netappactive_iq_unified_manager*any
netappactive_iq_unified_manager*any
netappactive_iq_unified_manager*any
netappcloud_insights_acquisition_unit*any
netapponcommand_insight*any
netapponcommand_workflow_automation*any
netappsnap_creator_framework*any

References 7

  • github.com https://github.com/FasterXML/jackson-databind/issues/2816
    Issue TrackingThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
    ExploitMailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
    Mailing ListThird Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20220506-0004/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2022/dsa-5283
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.