CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3894 – DOS in jackson-dataformats-text
https://notcve.org/view.php?id=CVE-2023-3894
Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083 https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x https://github.com/FasterXML/jackson-dataformats-text/pull/398 • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35116 – jackson-databind: denial of service via cylic dependencies
https://notcve.org/view.php?id=CVE-2023-35116
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. • https://github.com/FasterXML/jackson-databind/issues/3972 https://access.redhat.com/security/cve/CVE-2023-35116 https://bugzilla.redhat.com/show_bug.cgi?id=2215214 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2021-46877 – jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
https://notcve.org/view.php?id=CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. • https://github.com/FasterXML/jackson-databind/issues/3328 https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw https://access.redhat.com/security/cve/CVE-2021-46877 https://bugzilla.redhat.com/show_bug.cgi?id=2185707 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2020-10650
https://notcve.org/view.php?id=CVE-2020-10650
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. Se descubrió un fallo de deserialización en jackson-databind hasta 2.9.10.4. Podría permitir que un usuario no autenticado realice la ejecución de código a través de ignite-jta o quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory y org. quartz.utils.JNDIConnectionProvider. • https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef https://github.com/FasterXML/jackson-databind/issues/2658 https://github.com/advisories/GHSA-rpr3-cw39-3pxh https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://security.netapp.com/advisory/ntap-20230818-0007 https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/ • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 2CVE-2022-42003 – jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
https://notcve.org/view.php?id=CVE-2022-42003
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. En FasterXML jackson-databind anterior a 2.14.0-rc1, puede producirse un agotamiento de recursos debido a la falta de una comprobación en los deserializadores de valores primitivos para evitar el anidamiento de arrays envolventes profundos, cuando la función UNWRAP_SINGLE_VALUE_ARRAYS está activada. Versión de corrección adicional en 2.13.4.1 y 2.12.17.1 A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 https://github.com/FasterXML/jackson-databind/issues/3590 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.gentoo.org/glsa/202210-21 https://security.netapp.com/advisory/ntap-20221124-0004 https://www.debian.org/security/2022/dsa-5283 https://access.redhat.com/security/cve/CVE-2022-42003 https://bugzilla.r • CWE-502: Deserialization of Untrusted Data •