CVE-2020-36518: High severity fasterxml jackson-databind vulnerability

Published Aug 13, 2020
·
Updated

A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.

Other sources

A Java StackOverflow exception and denial of service via a large depth of nested objects.

Reference:

https://github.com/FasterXML/jackson-databind/issues/2816

Red Hat

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

GitHub

Affected Software

93 affected componentsFixes available
debian/jackson-databind<=2.9.8-3+deb10u3
2.9.8-3+deb10u52.12.1-1+deb11u12.14.0-1
redhat/jackson-databind<0:2.14.1-2.el9
0:2.14.1-2.el9
redhat/eap7-jackson-databind<0:2.12.6.1-1.redhat_00003.1.el8ea
0:2.12.6.1-1.redhat_00003.1.el8ea
redhat/eap7-jackson-databind<0:2.12.6.1-1.redhat_00003.1.el7ea
0:2.12.6.1-1.redhat_00003.1.el7ea
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el7
0:15.0.8-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el8
0:15.0.8-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el7
0:18.0.3-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el8
0:18.0.3-1.redhat_00001.1.el8
redhat/rh-sso7<0:1-5.el9
0:1-5.el9
redhat/rh-sso7-javapackages-tools<0:6.0.0-7.el9
0:6.0.0-7.el9
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el9
0:18.0.3-1.redhat_00001.1.el9
maven/com.fasterxml.jackson.core:jackson-databind<=2.12.6.0
2.12.6.1
maven/com.fasterxml.jackson.core:jackson-databind>=2.13.0<=2.13.2.0
2.13.2.1
fasterxml jackson-databind<2.12.6.1
fasterxml jackson-databind>=2.13.0<2.13.2.1
Oracle Big Data Spatial And Graph<23.1
Oracle Coherence=14.1.1.0.0
Oracle Commerce Platform=11.3.0
Oracle Commerce Platform=11.3.1
Oracle Commerce Platform=11.3.2
Oracle Communications Billing and Revenue Management>=12.0.0.4.0<=12.0.0.6.0
Oracle Communications Cloud Native Core Binding Support Function=22.1.3
Oracle Communications Cloud Native Core Console=1.9.0
Oracle Communications Cloud Native Core Network Repository Function=22.1.2
Oracle Communications Cloud Native Core Network Repository Function=22.2.0
Oracle Communications Cloud Native Core Network Slice Selection Function=22.1.0
Oracle Communications Cloud Native Core Network Slice Selection Function=22.1.1
Oracle Communications Cloud Native Core Security Edge Protection Proxy=22.1.1
Oracle Communications Cloud Native Core Service Communication Proxy=22.2.0
Oracle Communications Cloud Native Core Unified Data Repository=22.2.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.7<=8.1.0.0
Oracle Financial Services Analytical Applications Infrastructure=8.1.1.0
Oracle Financial Services Analytical Applications Infrastructure=8.1.2.0
Oracle Financial Services Analytical Applications Infrastructure=8.1.2.1
Oracle Financial Services Behavior Detection Platform>=8.1.1.0<=8.1.2.1
Oracle Financial Services Behavior Detection Platform=8.0.7.0.0
Oracle Financial Services Behavior Detection Platform=8.0.8
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.3.0
Oracle Financial Services Enterprise Case Management>=8.1.1.0<=8.1.2.1
Oracle Financial Services Enterprise Case Management=8.0.7.1
Oracle Financial Services Enterprise Case Management=8.0.7.2
Oracle Financial Services Enterprise Case Management=8.0.8.0
Oracle Financial Services Enterprise Case Management=8.0.8.1
Oracle Financial Services Trade-based Anti Money Laundering=8.0.7
Oracle Financial Services Trade-based Anti Money Laundering=8.0.8
Oracle Global Lifecycle Management NextGen OUI Framework<13.9.4.2.2
Oracle Global Lifecycle Management NextGen OUI Framework=13.9.4.2.2
Oracle Global Lifecycle Management Opatch<12.2.0.1.30
Oracle Graph Server And Client<22.2.0
Oracle Health Sciences Empirica Signal=9.1.0.5.2
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle Primavera Gateway>=17.12.0<=17.12.11
Oracle Primavera Gateway>=18.8.0<=18.8.14
Oracle Primavera Gateway>=19.12.0<=19.12.13
Oracle Primavera Gateway>=20.12.0<=20.12.18
Oracle Primavera Gateway>=21.12.0<=21.12.1
Oracle Primavera P6 Enterprise Project Portfolio Management>=17.12.0.0<=17.12.20.4
Oracle Primavera P6 Enterprise Project Portfolio Management>=18.8.0.0<=18.8.25.4
Oracle Primavera P6 Enterprise Project Portfolio Management>=19.12.0<=19.12.19.0
Oracle Primavera P6 Enterprise Project Portfolio Management>=20.12.0.0<=21.12.4.0
Oracle Primavera Unifier>=17.0<=17.12
Oracle Primavera Unifier=18.0
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle Retail Sales Audit=15.0.3.1
Oracle SD-WAN Edge=9.0
Oracle SD-WAN Edge=9.1
Oracle Spatial Studio<20.1.0
Oracle Utilities Framework=4.3.0.5.0
Oracle Utilities Framework=4.3.0.6.0
Oracle Utilities Framework=4.4.0.0.0
Oracle Utilities Framework=4.4.0.2.0
Oracle Utilities Framework=4.4.0.3.0
Oracle Utilities Framework=4.4.0.5.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
NetApp Active Iq Unified Manager Linux
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
NetApp Cloud Insights Acquisition Unit
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
NetApp Snap Creator Framework
redhat/jackson-databind<2.12.6.1
2.12.6.1
redhat/jackson-databind<2.13.2.1
2.13.2.1
IBM InfoSphere Data Architect<=9.2.1

Event History

Aug 13, 2020
CVE Published
12:00 AM
Mar 11, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·07:15 AM
DescriptionSeverityWeaknessAffected Software
Data Sourced
11:27 AM
SeverityAffected Software
Mar 12, 2022
Advisory Published
via GitHub·12:00 AM
Mar 16, 2022
Data Sourced
via Red Hat·11:25 AM
DescriptionSeverityAffected Software
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2020-36518.

2

What is the severity level of CVE-2020-36518?

CVE-2020-36518 has a severity level of high (7).

3

How does CVE-2020-36518 cause a denial of service?

CVE-2020-36518 causes a denial of service by exploiting a Java StackOverflow exception through the use of a large depth of nested objects.

4

Which software versions are affected by CVE-2020-36518?

Versions of jackson-databind before 2.13.0 are affected by CVE-2020-36518.

5

How can I fix CVE-2020-36518?

To fix CVE-2020-36518, update jackson-databind to version 2.13.0 or newer.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203