CVE-2020-36518

jackson-databind: denial of service via a large depth of nested objects

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

jackson-databind versiones anteriores a 2.13.0, permite una excepción Java StackOverflow y una denegación de servicio por medio de una gran profundidad de objetos anidados

A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include HTTP request smuggling, code execution, denial of service, memory leak, and traversal vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-03-11 CVE Reserved
2022-03-11 CVE Published
2022-03-21 First Exploit
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-787: Out-of-bounds Write

CAPEC

References (10)

URL	Tag	Source
https://github.com/FasterXML/jackson-databind/issues/2816	Issue Tracking
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html	Mailing List
https://security.netapp.com/advisory/ntap-20220506-0004	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

URL	Date	SRC
https://github.com/ghillert/boot-jackson-cve	2022-03-21
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://www.debian.org/security/2022/dsa-5283	2022-11-29
https://access.redhat.com/security/cve/CVE-2020-36518	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2064698	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				< 2.12.6.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " < 2.12.6.1"		-		Affected
Fasterxml Search vendor "Fasterxml"		Jackson-databind Search vendor "Fasterxml" for product "Jackson-databind"				>= 2.13.0 < 2.13.2.1 Search vendor "Fasterxml" for product "Jackson-databind" and version " >= 2.13.0 < 2.13.2.1"		-		Affected
Oracle Search vendor "Oracle"		Big Data Spatial And Graph Search vendor "Oracle" for product "Big Data Spatial And Graph"				< 23.1 Search vendor "Oracle" for product "Big Data Spatial And Graph" and version " < 23.1"		-		Affected
Oracle Search vendor "Oracle"		Coherence Search vendor "Oracle" for product "Coherence"				14.1.1.0.0 Search vendor "Oracle" for product "Coherence" and version "14.1.1.0.0"		-		Affected
Oracle Search vendor "Oracle"		Commerce Platform Search vendor "Oracle" for product "Commerce Platform"				11.3.0 Search vendor "Oracle" for product "Commerce Platform" and version "11.3.0"		-		Affected
Oracle Search vendor "Oracle"		Commerce Platform Search vendor "Oracle" for product "Commerce Platform"				11.3.1 Search vendor "Oracle" for product "Commerce Platform" and version "11.3.1"		-		Affected
Oracle Search vendor "Oracle"		Commerce Platform Search vendor "Oracle" for product "Commerce Platform"				11.3.2 Search vendor "Oracle" for product "Commerce Platform" and version "11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				>= 12.0.0.4.0 <= 12.0.0.6.0 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version " >= 12.0.0.4.0 <= 12.0.0.6.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"				22.1.3 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "22.1.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				22.1.2 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.1.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				22.1.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "22.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				22.1.1 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "22.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"				22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.7 <= 8.1.0.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.7 <= 8.1.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.2.1 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				>= 8.1.1.0 <= 8.1.2.1 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version " >= 8.1.1.0 <= 8.1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.0.7.0.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.0.7.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.0.8 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.0.8"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.2.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.3.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				>= 8.1.1.0 <= 8.1.2.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version " >= 8.1.1.0 <= 8.1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.7.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.7.2 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.2"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.8.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.8.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Trade-based Anti Money Laundering Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering"				8.0.7 Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering" and version "8.0.7"		enterprise		Affected
Oracle Search vendor "Oracle"		Financial Services Trade-based Anti Money Laundering Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering"				8.0.8 Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering" and version "8.0.8"		enterprise		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Nextgen Oui Framework Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"				< 13.9.4.2.2 Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version " < 13.9.4.2.2"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Nextgen Oui Framework Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"				13.9.4.2.2 Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version "13.9.4.2.2"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				< 12.2.0.1.30 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " < 12.2.0.1.30"		-		Affected
Oracle Search vendor "Oracle"		Graph Server And Client Search vendor "Oracle" for product "Graph Server And Client"				< 22.2.0 Search vendor "Oracle" for product "Graph Server And Client" and version " < 22.2.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Empirica Signal Search vendor "Oracle" for product "Health Sciences Empirica Signal"				9.1.0.5.2 Search vendor "Oracle" for product "Health Sciences Empirica Signal" and version "9.1.0.5.2"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.14 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.14"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.13"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 20.12.0 <= 20.12.18 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.18"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 21.12.0 <= 21.12.1 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 21.12.0 <= 21.12.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 17.12.0.0 <= 17.12.20.4 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 17.12.0.0 <= 17.12.20.4"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 18.8.0.0 <= 18.8.25.4 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 18.8.0.0 <= 18.8.25.4"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 19.12.0 <= 19.12.19.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0 <= 19.12.19.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 20.12.0.0 <= 21.12.4.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 21.12.4.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.0 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.0 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.0 Search vendor "Oracle" for product "Primavera Unifier" and version "18.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				21.12 Search vendor "Oracle" for product "Primavera Unifier" and version "21.12"		-		Affected
Oracle Search vendor "Oracle"		Retail Sales Audit Search vendor "Oracle" for product "Retail Sales Audit"				15.0.3.1 Search vendor "Oracle" for product "Retail Sales Audit" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.1 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.1"		-		Affected
Oracle Search vendor "Oracle"		Spatial Studio Search vendor "Oracle" for product "Spatial Studio"				< 20.1.0 Search vendor "Oracle" for product "Spatial Studio" and version " < 20.1.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.3.0.5.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.6.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.5.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		linux		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Cloud Insights Acquisition Unit Search vendor "Netapp" for product "Cloud Insights Acquisition Unit"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected
Netapp Search vendor "Netapp"		Snap Creator Framework Search vendor "Netapp" for product "Snap Creator Framework"				-		-		Affected