CVE-2020-36518
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
11/03/2022
Last modified:
27/08/2025
Description
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.12.6.1 (excluding) | |
| cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | 2.13.0 (including) | 2.13.2.1 (excluding) |
| cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:* | 23.1 (excluding) | |
| cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:commerce_platform:11.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:commerce_platform:11.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_billing_and_revenue_management:*:*:*:*:*:*:*:* | 12.0.0.4.0 (including) | 12.0.0.6.0 (including) |
| cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.netapp.com/advisory/ntap-20220506-0004/
- https://www.debian.org/security/2022/dsa-5283
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.netapp.com/advisory/ntap-20220506-0004/
- https://www.debian.org/security/2022/dsa-5283
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html