Vulnerability Details : CVE-2020-36518
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2020-36518
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_platform:11.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_platform:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*
- Oracle » Primavera P6 Enterprise Project Portfolio ManagementVersions from including (>=) 17.12.0.0 and up to, including, (<=) 17.12.20.4cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
- Oracle » Primavera P6 Enterprise Project Portfolio ManagementVersions from including (>=) 18.8.0.0 and up to, including, (<=) 18.8.25.4cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
- Oracle » Primavera P6 Enterprise Project Portfolio ManagementVersions from including (>=) 20.12.0.0 and up to, including, (<=) 21.12.4.0cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
- Oracle » Primavera P6 Enterprise Project Portfolio ManagementVersions from including (>=) 19.12.0 and up to, including, (<=) 19.12.19.0cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.0:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.7 and up to, including, (<=) 8.1.0.0cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:*:*:*:*:*:*:*
- Oracle » Communications Billing And Revenue ManagementVersions from including (>=) 12.0.0.4.0 and up to, including, (<=) 12.0.0.6.0cpe:2.3:a:oracle:communications_billing_and_revenue_management:*:*:*:*:*:*:*:*
- Oracle » Financial Services Behavior Detection PlatformVersions from including (>=) 8.1.1.0 and up to, including, (<=) 8.1.2.1cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:*
- Oracle » Financial Services Enterprise Case ManagementVersions from including (>=) 8.1.1.0 and up to, including, (<=) 8.1.2.1cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
- cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
- cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-36518
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-36518
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2020-36518
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-36518
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
[SECURITY] [DLA 2990-1] jackson-databind security updateExploit;Mailing List;Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/2816
Optimize `UntypedObjectDeserializer` wrt recursion · Issue #2816 · FasterXML/jackson-databind · GitHubIssue Tracking;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5283
Debian -- Security Information -- DSA-5283-1 jackson-databindThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
[SECURITY] [DLA 3207-1] jackson-databind security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220506-0004/
CVE-2020-36518 FasterXML Jackson Databind Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Third Party Advisory
Jump to