CVE-2020-36518
HIGH EPSS 90.9%
Published Mar 11, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
Published Mar 11, 2022 4y ago
Last Modified Jun 17, 2026 2w ago
Description
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
90.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 77
| Vendor | Product | Version | Range |
|---|---|---|---|
| fasterxml | jackson-databind | * | <2.12.6.1 |
| fasterxml | jackson-databind | * | ≥2.13.0 – <2.13.2.1 |
| oracle | big_data_spatial_and_graph | * | <23.1 |
| oracle | coherence | 14.1.1.0.0 | any |
| oracle | commerce_platform | 11.3.0 | any |
| oracle | commerce_platform | 11.3.1 | any |
| oracle | commerce_platform | 11.3.2 | any |
| oracle | communications_billing_and_revenue_management | * | ≥12.0.0.4.0 – ≤12.0.0.6.0 |
| oracle | communications_cloud_native_core_binding_support_function | 22.1.3 | any |
| oracle | communications_cloud_native_core_console | 1.9.0 | any |
| oracle | communications_cloud_native_core_network_repository_function | 22.1.2 | any |
| oracle | communications_cloud_native_core_network_repository_function | 22.2.0 | any |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.0 | any |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.1 | any |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 22.1.1 | any |
| oracle | communications_cloud_native_core_service_communication_proxy | 22.2.0 | any |
| oracle | communications_cloud_native_core_unified_data_repository | 22.2.0 | any |
| oracle | financial_services_analytical_applications_infrastructure | * | ≥8.0.7 – ≤8.1.0.0 |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.1.0 | any |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.0 | any |
| oracle | financial_services_analytical_applications_infrastructure | 8.1.2.1 | any |
| oracle | financial_services_behavior_detection_platform | * | ≥8.1.1.0 – ≤8.1.2.1 |
| oracle | financial_services_behavior_detection_platform | 8.0.7.0.0 | any |
| oracle | financial_services_behavior_detection_platform | 8.0.8 | any |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | any |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 | any |
| oracle | financial_services_enterprise_case_management | * | ≥8.1.1.0 – ≤8.1.2.1 |
| oracle | financial_services_enterprise_case_management | 8.0.7.1 | any |
| oracle | financial_services_enterprise_case_management | 8.0.7.2 | any |
| oracle | financial_services_enterprise_case_management | 8.0.8.0 | any |
| oracle | financial_services_enterprise_case_management | 8.0.8.1 | any |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.7 | any |
| oracle | financial_services_trade-based_anti_money_laundering | 8.0.8 | any |
| oracle | global_lifecycle_management_nextgen_oui_framework | * | <13.9.4.2.2 |
| oracle | global_lifecycle_management_nextgen_oui_framework | 13.9.4.2.2 | any |
| oracle | global_lifecycle_management_opatch | * | <12.2.0.1.30 |
| oracle | graph_server_and_client | * | <22.2.0 |
| oracle | health_sciences_empirica_signal | 9.1.0.5.2 | any |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | any |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | any |
| oracle | primavera_gateway | * | ≥17.12.0 – ≤17.12.11 |
| oracle | primavera_gateway | * | ≥18.8.0 – ≤18.8.14 |
| oracle | primavera_gateway | * | ≥19.12.0 – ≤19.12.13 |
| oracle | primavera_gateway | * | ≥20.12.0 – ≤20.12.18 |
| oracle | primavera_gateway | * | ≥21.12.0 – ≤21.12.1 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * | ≥17.12.0.0 – ≤17.12.20.4 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * | ≥18.8.0.0 – ≤18.8.25.4 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * | ≥19.12.0 – ≤19.12.19.0 |
| oracle | primavera_p6_enterprise_project_portfolio_management | * | ≥20.12.0.0 – ≤21.12.4.0 |
| oracle | primavera_unifier | * | ≥17.0 – ≤17.12 |
| oracle | primavera_unifier | 18.0 | any |
| oracle | primavera_unifier | 19.12 | any |
| oracle | primavera_unifier | 20.12 | any |
| oracle | primavera_unifier | 21.12 | any |
| oracle | retail_sales_audit | 15.0.3.1 | any |
| oracle | sd-wan_edge | 9.0 | any |
| oracle | sd-wan_edge | 9.1 | any |
| oracle | spatial_studio | * | <20.1.0 |
| oracle | utilities_framework | 4.3.0.5.0 | any |
| oracle | utilities_framework | 4.3.0.6.0 | any |
| oracle | utilities_framework | 4.4.0.0.0 | any |
| oracle | utilities_framework | 4.4.0.2.0 | any |
| oracle | utilities_framework | 4.4.0.3.0 | any |
| oracle | utilities_framework | 4.4.0.5.0 | any |
| oracle | weblogic_server | 12.2.1.3.0 | any |
| oracle | weblogic_server | 12.2.1.4.0 | any |
| oracle | weblogic_server | 14.1.1.0.0 | any |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| debian | debian_linux | 11.0 | any |
| netapp | active_iq_unified_manager | * | any |
| netapp | active_iq_unified_manager | * | any |
| netapp | active_iq_unified_manager | * | any |
| netapp | cloud_insights_acquisition_unit | * | any |
| netapp | oncommand_insight | * | any |
| netapp | oncommand_workflow_automation | * | any |
| netapp | snap_creator_framework | * | any |
References 7
- github.com https://github.com/FasterXML/jackson-databind/issues/2816
- lists.debian.org https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- lists.debian.org https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- security.netapp.com https://security.netapp.com/advisory/ntap-20220506-0004/
- debian.org https://www.debian.org/security/2022/dsa-5283
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.