CVE-2020-28491: Denial of Service (DoS)
FasterXML jackson-dataformats-binary is vulnerable to a denial of service, caused by an unchecked allocation of byte buffer flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a java.lang.OutOfMemoryError exception resulting in a denial of service condition.
Other sources
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
Affected Software
Remediation
Patch Available
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is CVE-2020-28491?
CVE-2020-28491 is a vulnerability in the com.fasterxml.jackson.dataformat:jackson-dataformat-cbor package that allows for a denial of service attack.
How severe is CVE-2020-28491?
CVE-2020-28491 has a severity rating of 7.5 (High).
What is the affected software for CVE-2020-28491?
The affected software for CVE-2020-28491 includes com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 0 to 2.11.4 and 2.12.0 to 2.12.1, as well as rh-sso7-keycloak versions 0:9.0.15-1.redhat_00002.1.el6, 0:9.0.15-1.redhat_00002.1.el7, and 0:9.0.15-1.redhat_00002.1.el8.
How can CVE-2020-28491 be fixed?
To fix CVE-2020-28491, upgrade to com.fasterxml.jackson.dataformat:jackson-dataformat-cbor version 2.11.4 or 2.12.1, or rh-sso7-keycloak versions 0:9.0.15-1.redhat_00002.1.el6, 0:9.0.15-1.redhat_00002.1.el7, or 0:9.0.15-1.redhat_00002.1.el8.
Where can I find more information about CVE-2020-28491?
You can find more information about CVE-2020-28491 at the following references: [1](https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6), [2](https://github.com/FasterXML/jackson-dataformats-binary/issues/186), [3](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329).