CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/FasterXML/jackson-databind/issues/2816	Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html	Exploit Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20220506-0004/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5283	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fasterxml:jackson-databind::::::::
	cpe:2.3:a:fasterxml:jackson-databind::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:big_data_spatial_and_graph::::::::
	cpe:2.3:a:oracle:coherence:14.1.1.0.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.0:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.1:::::::*
	cpe:2.3:a:oracle:commerce_platform:11.3.2:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management::::::::
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform::::::::
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management::::::::
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:::::::*
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7::::enterprise:::
	cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8::::enterprise:::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework::::::::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::
	cpe:2.3:a:oracle:graph_server_and_client::::::::
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*
	cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*
	cpe:2.3:a:oracle:spatial_studio::::::::
	cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*

History

29 Nov 2022, 22:12

Type	Values Removed	Values Added
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*

27 Nov 2022, 22:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html -

21 Nov 2022, 18:17

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::*
References	~~(DEBIAN) https://www.debian.org/security/2022/dsa-5283 -~~	(DEBIAN) https://www.debian.org/security/2022/dsa-5283 - Third Party Advisory

17 Nov 2022, 21:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2022/dsa-5283 -

05 Oct 2022, 19:23

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:::::::* cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::* cpe:2.3:a:oracle:primavera_unifier:19.12:::::::* cpe:2.3:a:oracle:primavera_unifier:18.0:::::::* cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows:: cpe:2.3:a:oracle:primavera_gateway:::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.5.0:::::::* cpe:2.3:a:oracle:financial_services_enterprise_case_management:::::::: cpe:2.3:a:oracle:commerce_platform:11.3.1:::::::* cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:22.2.0:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:::::::* cpe:2.3:a:oracle:coherence:14.1.1.0.0:::::::* cpe:2.3:a:oracle:big_data_spatial_and_graph:::::::: cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0.0:::::::* cpe:2.3:a:oracle:spatial_studio:::::::: cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::* cpe:2.3:a:oracle:primavera_unifier:::::::: cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::* cpe:2.3:a:oracle:graph_server_and_client:::::::: cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::* cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::* cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::* cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:::::::: cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:::::::: cpe:2.3:a:oracle:commerce_platform:11.3.0:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::* cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management:::::::: cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere:: cpe:2.3:a:oracle:commerce_platform:11.3.2:::::::* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:::::::* cpe:2.3:a:oracle:financial_services_behavior_detection_platform:::::::: cpe:2.3:a:oracle:global_lifecycle_management_opatch:::::::: cpe:2.3:a:oracle:retail_sales_audit:15.0.3.1:::::::* cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1.0.5.2:::::::* cpe:2.3:a:oracle:primavera_unifier:21.12:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::* cpe:2.3:a:netapp:oncommand_insight:-:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:::::::* cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::* cpe:2.3:a:oracle:primavera_unifier:20.12:::::::* cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7::::enterprise::: cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:::::::* cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:::::::: cpe:2.3:a:netapp:snap_creator_framework:-:::::::* cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux:: cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::* cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8::::enterprise::: cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220506-0004/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20220506-0004/ - Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html - Exploit, Mailing List, Third Party Advisory
First Time		Oracle financial Services Enterprise Case Management Oracle utilities Framework Oracle financial Services Behavior Detection Platform Oracle sd-wan Edge Oracle communications Cloud Native Core Network Repository Function Oracle communications Cloud Native Core Binding Support Function Netapp active Iq Unified Manager Oracle primavera P6 Enterprise Project Portfolio Management Debian debian Linux Oracle primavera Gateway Oracle financial Services Crime And Compliance Management Studio Oracle health Sciences Empirica Signal Oracle graph Server And Client Oracle communications Cloud Native Core Unified Data Repository Oracle communications Cloud Native Core Security Edge Protection Proxy Oracle global Lifecycle Management Nextgen Oui Framework Oracle big Data Spatial And Graph Netapp snap Creator Framework Oracle financial Services Analytical Applications Infrastructure Debian Netapp cloud Insights Acquisition Unit Oracle commerce Platform Netapp oncommand Workflow Automation Oracle communications Cloud Native Core Service Communication Proxy Netapp oncommand Insight Oracle primavera Unifier Oracle spatial Studio Oracle coherence Oracle global Lifecycle Management Opatch Oracle retail Sales Audit Oracle communications Billing And Revenue Management Oracle weblogic Server Netapp Oracle peoplesoft Enterprise Peopletools Oracle communications Cloud Native Core Network Slice Selection Function Oracle financial Services Trade-based Anti Money Laundering

25 Jul 2022, 18:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

06 May 2022, 14:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20220506-0004/ -

02 May 2022, 22:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html -

27 Apr 2022, 19:28

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Third Party Advisory
First Time		Oracle Oracle communications Cloud Native Core Console
CPE		cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*

20 Apr 2022, 00:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

18 Mar 2022, 19:52

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/FasterXML/jackson-databind/issues/2816 -~~	(MISC) https://github.com/FasterXML/jackson-databind/issues/2816 - Issue Tracking, Third Party Advisory
CWE		CWE-787
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
CPE		cpe:2.3:a:fasterxml:jackson-databind::::::::
First Time		Fasterxml jackson-databind Fasterxml

11 Mar 2022, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-11 07:15

Updated : 2023-12-10 14:22

NVD link : CVE-2020-36518

Mitre link : CVE-2020-36518

CVE.ORG link : CVE-2020-36518

JSON object : View

Products Affected

oracle

graph_server_and_client
financial_services_behavior_detection_platform
global_lifecycle_management_opatch
spatial_studio
financial_services_analytical_applications_infrastructure
sd-wan_edge
coherence
primavera_p6_enterprise_project_portfolio_management
communications_cloud_native_core_security_edge_protection_proxy
health_sciences_empirica_signal
global_lifecycle_management_nextgen_oui_framework
primavera_unifier
communications_cloud_native_core_binding_support_function
financial_services_enterprise_case_management
primavera_gateway
commerce_platform
communications_cloud_native_core_console
communications_cloud_native_core_network_slice_selection_function
utilities_framework
peoplesoft_enterprise_peopletools
big_data_spatial_and_graph
financial_services_crime_and_compliance_management_studio
communications_cloud_native_core_network_repository_function
communications_billing_and_revenue_management
financial_services_trade-based_anti_money_laundering
retail_sales_audit
weblogic_server
communications_cloud_native_core_unified_data_repository
communications_cloud_native_core_service_communication_proxy

netapp

snap_creator_framework
cloud_insights_acquisition_unit
oncommand_workflow_automation
oncommand_insight
active_iq_unified_manager

debian

debian_linux

fasterxml

jackson-databind

CWE

CWE-787

Out-of-bounds Write

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2020-36518

7.5^/10

5.0^/10

Attach tags to `CVE-2020-36518`