CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3894 – DOS in jackson-dataformats-text
https://notcve.org/view.php?id=CVE-2023-3894
08 Aug 2023 — Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083 • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35116 – jackson-databind: denial of service via cylic dependencies
https://notcve.org/view.php?id=CVE-2023-35116
14 Jun 2023 — jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically im... • https://github.com/FasterXML/jackson-databind/issues/3972 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-46877 – jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
https://notcve.org/view.php?id=CVE-2021-46877
18 Mar 2023 — jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss ... • https://github.com/FasterXML/jackson-databind/issues/3328 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 5%CPEs: 3EXPL: 1CVE-2020-10650
https://notcve.org/view.php?id=CVE-2020-10650
26 Dec 2022 — A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. Se descubrió un fallo de deserialización en jackson-databind hasta 2.9.10.4. Podría permitir que un usuario no autenticado realice la ejecución de código a través de ignite-jta o quartz-core... • https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 2CVE-2022-42004 – jackson-databind: use of deeply nested arrays
https://notcve.org/view.php?id=CVE-2022-42004
02 Oct 2022 — In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobación en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 2CVE-2022-42003 – jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
https://notcve.org/view.php?id=CVE-2022-42003
02 Oct 2022 — In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. En FasterXML jackson-databind anterior a 2.14.0-rc1, puede producirse un agotamiento de recursos debido a la falta de una comprobación en los deserializadores de valores primitivos para evitar el anidamiento de arrays envolventes profundos, cuando la funció... • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-40152 – Stack Buffer Overflow in Woodstox
https://notcve.org/view.php?id=CVE-2022-40152
16 Sep 2022 — Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. Los que usan Xstream para seralizar datos XML pueden ser vulnerables a ataques de Denegación de Servicio (DOS). Si el analizador es ejecutado con la entrada suministrada por el usuario, un atacante puede suminis... • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 77EXPL: 2CVE-2020-36518 – jackson-databind: denial of service via a large depth of nested objects
https://notcve.org/view.php?id=CVE-2020-36518
11 Mar 2022 — jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. jackson-databind versiones anteriores a 2.13.0, permite una excepción Java StackOverflow y una denegación de servicio por medio de una gran profundidad de objetos anidados A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects. Red Hat JBoss Enterprise Appli... • https://github.com/ghillert/boot-jackson-cve • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-28491 – Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2020-28491
18 Feb 2021 — This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. Esto afecta al paquete com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versiones desde 0 y anteriores a 2.11.4, versiones desde 2.12.0-rc1 y anteriores a 2.12.1. Una asignación no comprobada de búfer de bytes puede causar una excepción de java.lang.OutOfMemoryError Red... • https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-20190 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing
https://notcve.org/view.php?id=CVE-2021-20190
19 Jan 2021 — A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en jackson-databind versiones anteriores a 2.9.10.7. FasterXML maneja inapropiadamente la interacción entre los gadgets de serialización y escritura. • https://bugzilla.redhat.com/show_bug.cgi?id=1916633 • CWE-502: Deserialization of Untrusted Data •