Vulnerability Description
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | < 2.12.6.1 |
| Oracle | Big Data Spatial And Graph | < 23.1 |
| Oracle | Coherence | 14.1.1.0.0 |
| Oracle | Commerce Platform | 11.3.0 |
| Oracle | Communications Billing And Revenue Management | >= 12.0.0.4.0, <= 12.0.0.6.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Console | 1.9.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.2 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 22.1.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 22.2.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 22.2.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.7, <= 8.1.0.0 |
| Oracle | Financial Services Behavior Detection Platform | >= 8.1.1.0, <= 8.1.2.1 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Enterprise Case Management | >= 8.1.1.0, <= 8.1.2.1 |
| Oracle | Financial Services Trade-Based Anti Money Laundering | 8.0.7 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | < 13.9.4.2.2 |
| Oracle | Global Lifecycle Management Opatch | < 12.2.0.1.30 |
| Oracle | Graph Server And Client | < 22.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/FasterXML/jackson-databind/issues/2816Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.htmlExploitMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220506-0004/Third Party Advisory
- https://www.debian.org/security/2022/dsa-5283Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/2816Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.htmlExploitMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220506-0004/Third Party Advisory
- https://www.debian.org/security/2022/dsa-5283Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
FAQ
What is CVE-2020-36518?
CVE-2020-36518 is a vulnerability with a CVSS score of 7.5 (HIGH). jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
How severe is CVE-2020-36518?
CVE-2020-36518 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36518?
Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Oracle Big Data Spatial And Graph, Oracle Coherence, Oracle Commerce Platform, Oracle Communications Billing And Revenue Management.