Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Published

2022-03-11T07:15:07.800

Last Modified

2025-08-27T21:15:36.420

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-787
Type: Secondary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fasterxml	jackson-databind	< 2.12.6.1	Yes
Application	fasterxml	jackson-databind	< 2.13.2.1	Yes
Application	oracle	big_data_spatial_and_graph	< 23.1	Yes
Application	oracle	coherence	14.1.1.0.0	Yes
Application	oracle	commerce_platform	11.3.0	Yes
Application	oracle	commerce_platform	11.3.1	Yes
Application	oracle	commerce_platform	11.3.2	Yes
Application	oracle	communications_billing_and_revenue_management	≤ 12.0.0.6.0	Yes
Application	oracle	communications_cloud_native_core_binding_support_function	22.1.3	Yes
Application	oracle	communications_cloud_native_core_console	1.9.0	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	22.1.2	Yes
Application	oracle	communications_cloud_native_core_network_repository_function	22.2.0	Yes
Application	oracle	communications_cloud_native_core_network_slice_selection_function	22.1.0	Yes
Application	oracle	communications_cloud_native_core_network_slice_selection_function	22.1.1	Yes
Application	oracle	communications_cloud_native_core_security_edge_protection_proxy	22.1.1	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	22.2.0	Yes
Application	oracle	communications_cloud_native_core_unified_data_repository	22.2.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.1.0.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.1.1.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.1.2.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.1.2.1	Yes
Application	oracle	financial_services_behavior_detection_platform	≤ 8.1.2.1	Yes
Application	oracle	financial_services_behavior_detection_platform	8.0.7.0.0	Yes
Application	oracle	financial_services_behavior_detection_platform	8.0.8	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0	Yes
Application	oracle	financial_services_enterprise_case_management	≤ 8.1.2.1	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.7.1	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.7.2	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.8.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.8.1	Yes
Application	oracle	financial_services_trade-based_anti_money_laundering	8.0.7	Yes
Application	oracle	financial_services_trade-based_anti_money_laundering	8.0.8	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	< 13.9.4.2.2	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	13.9.4.2.2	Yes
Application	oracle	global_lifecycle_management_opatch	< 12.2.0.1.30	Yes
Application	oracle	graph_server_and_client	< 22.2.0	Yes
Application	oracle	health_sciences_empirica_signal	9.1.0.5.2	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_gateway	≤ 17.12.11	Yes
Application	oracle	primavera_gateway	≤ 18.8.14	Yes
Application	oracle	primavera_gateway	≤ 19.12.13	Yes
Application	oracle	primavera_gateway	≤ 20.12.18	Yes
Application	oracle	primavera_gateway	≤ 21.12.1	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 17.12.20.4	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 18.8.25.4	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 19.12.19.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 21.12.4.0	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	18.0	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	retail_sales_audit	15.0.3.1	Yes
Application	oracle	sd-wan_edge	9.0	Yes
Application	oracle	sd-wan_edge	9.1	Yes
Application	oracle	spatial_studio	< 20.1.0	Yes
Application	oracle	utilities_framework	4.3.0.5.0	Yes
Application	oracle	utilities_framework	4.3.0.6.0	Yes
Application	oracle	utilities_framework	4.4.0.0.0	Yes
Application	oracle	utilities_framework	4.4.0.2.0	Yes
Application	oracle	utilities_framework	4.4.0.3.0	Yes
Application	oracle	utilities_framework	4.4.0.5.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	cloud_insights_acquisition_unit	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	snap_creator_framework	-	Yes

References

https://github.com/FasterXML/jackson-databind/issues/2816 Issue Tracking, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html Exploit, Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220506-0004/ Third Party Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5283 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://github.com/FasterXML/jackson-databind/issues/2816 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html Exploit, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220506-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5283 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)